Firewall Wizards mailing list archives
Re: Automated IDS response
From: "Michael B. Rash" <mbr () math umd edu>
Date: Sun, 13 Feb 2000 13:24:44 -0500 (EST)
On Sat, 12 Feb 2000, Michael H. Warfield wrote: : Portsentry <www.psionic.com> does this for Unix/Linux systems : as well. You can select what classes of services it will react to. I : don't advice UDP or "stealth TCP" because it's spoofable, but connected : TCP port scans works great. Portsentry works well _if_ you are not running ipchains (or other firewalling code) on your Linux/*NIX box. Portsentry will not even have an opportunity to look at packets as they come in if you are running ipchains since the firewall code is integrated directly into the kernel. Hence, if you want any kind of IDS functionality on a firewalled Linux box, you need an IDS that works with ipchains. I have written such a system and it is going to be included in the next release of Bastille Linux (see www.bastille-linux.org). It features a response system that will block all traffic from an offending IP only if the IP has tripped a set of higly configurable thresholds that the admin defines. --Mike http://www.math.umd.edu/~mbr
Current thread:
- Automated IDS response Michael B. Rash (Feb 11)
- <Possible follow-ups>
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- Re: Automated IDS response Michael B. Rash (Feb 14)
- Re: Automated IDS response Andy (Feb 14)
- Re: Automated IDS response Lance Spitzner (Feb 15)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- RE: Automated IDS response Robert Graham (Feb 14)
- RE: Automated IDS response Crumrine, Gary L (Feb 15)
- RE: Automated IDS response Marcus J. Ranum (Feb 15)
- Re: Automated IDS response Paul Cardon (Feb 17)
- RE: Automated IDS response Robert Graham (Feb 15)
- RE: Automated IDS response Russ Wolfe (Feb 16)
- RE: Automated IDS response ark (Feb 17)