well, can't SNORT be configured to run an external program depending on the rulesets? You are free to write a script that sends notice to the offender, but most everyone seems to think that will only make the attacker more persistent,
igor' ----- Original Message ----- From: "Michael Lindsay" <[EMAIL PROTECTED]> To: "McCammon, Keith" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, March 05, 2002 1:56 PM Subject: RE: IDS that retaliates. > > Replying to spoofed packed with an attack could have nasty consequences. > If someone spoofed packets with a source address belonging to a bank, and > you initated a response that attacked the bank, what might happen then? :) > > Mike Lindsay > > > > > "McCammon, Keith" > <Keith.McCammon@eadva To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > ncemed.com> <[EMAIL PROTECTED]> > cc: > 06/03/2002 07:00 AM Subject: RE: IDS that retaliates. > > > > > > > This is generally referred to as Active Response. In most cases > (commercial IDS), this involves the IDS sending TCP RST packets to both > ends of the connection so that the connection is destroyed and cleared > from the buffers. This is also the extent to which most > commercially-available IDSs "retaliate." Snort does this, as do ISS and > several other popular systems. > > Now if you're referring to launching counter-attacks or similar > offensives in response to alerts, this isn't going to go mainstream in > the near future. There are a number of reasons for this, but most > notably is the fact that (in the U.S., anyway) intrusive retaliation is, > technically, every bit as illegal as the act that provoked it in the > first place. > > I, too, have heard of government and defense projects that are > developing (and refining) intrusive response of technology, but realize > that the details of such systems would not likely be publicized. > > > >
