Firewall Wizards mailing list archives

Re: Automated IDS response

From: "Michael B. Rash" <mbr () math umd edu>
Date: Sun, 13 Feb 2000 13:24:44 -0500 (EST)


On Sat, 12 Feb 2000, Michael H. Warfield wrote:

:       Portsentry <www.psionic.com> does this for Unix/Linux systems
:  as well.  You can select what classes of services it will react to.  I
:  don't advice UDP or "stealth TCP" because it's spoofable, but connected
:  TCP port scans works great.

Portsentry works well _if_ you are not running ipchains (or other
firewalling code) on your Linux/*NIX box.  Portsentry will not even have
an opportunity to look at packets as they come in if you are running
ipchains since the firewall code is integrated directly into the
kernel.  Hence, if you want any kind of IDS functionality on a firewalled
Linux box, you need an IDS that works with ipchains.  I have written such
a system and it is going to be included in the next release of Bastille
Linux (see www.bastille-linux.org).  It features a response system that
will block all traffic from an offending IP only if the IP has tripped a
set of higly configurable thresholds that the admin defines.

--Mike
http://www.math.umd.edu/~mbr

Current thread:

Automated IDS response Michael B. Rash (Feb 11)
- <Possible follow-ups>
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)
  - Re: Automated IDS response Michael H. Warfield (Feb 14)
    - Re: Automated IDS response Michael B. Rash (Feb 14)
  - Re: Automated IDS response Andy (Feb 14)
    - Re: Automated IDS response Lance Spitzner (Feb 15)
- RE: Automated IDS response Robert Graham (Feb 14)
- RE: Automated IDS response Crumrine, Gary L (Feb 15)
- RE: Automated IDS response Marcus J. Ranum (Feb 15)
  - Re: Automated IDS response Paul Cardon (Feb 17)
- RE: Automated IDS response Robert Graham (Feb 15)
- RE: Automated IDS response Russ Wolfe (Feb 16)
- RE: Automated IDS response ark (Feb 17)