On a side note. I am sure this has been discussed here before, but I am
going to mention it again. Running a script to automatically block a host
is a dangerous thing. If I spoof the IP address of say, all the root
domain servers, and you automatically block those addresses, then I have
effectivly shutdown your network. A beautiful dos attack.
On Wed, 13 Dec 2000, Lance Spitzner wrote:
>
> On Wed, 13 Dec 2000, Imre Kertesz wrote:
>
> > I am interested in the process by which intrusion detection products
> > such as RealSecure dynamically push rules to FW-1. I want to use other
> > intrusion detection apps, such as Snort, to work with FW-1 in the same
> > capacity. I assume that this will involve getting the interface API and
> > coding some custom linking apps. Is there an easier way to do this?
>
> Much easier, just integrate the use of SAM. I've created a FW-1 script
> that does just this, http://www.enteract.com/~lspitz/intrusion.html.
>
> With snort, one of the things you can have it do is log alerts to
> a log file, such as /var/adm/messages. Then have swatch monitor
> the alerts and call on SAM when a specific signature(s) are met.
>
> hope that helps
>
> lance
>
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
--
HEY! I'm a guy like me!
--Homer
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
