Re: OT: An Idea for an IDS
At 22:39 on Jun 30, Matt Zimmerman shook the earth with:
> On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> > Are there any projects out there to do this right now. If not, is this
> > a good idea? If it is who would be a person/group that would be
> > qualified and have the time/interest to develop it.
> Not really a good idea. Consider what happens when someone forges the IP
You can combat some of this with a simple list of IP
addresses/hostnames/networks that should never under any circumstances be
Another problem seems to be that script kiddies aren't always doing recon
before they do an attack, it seems to be fairly common lately to just run
a series of scripted attacks against a range of IPs (so if you are
vulnerable, you could be exploited at the same time the IDS detects the
attack, if it is detected). Just need to be sure that your IDS and
signatures/detection scheme is up to date, and also possibly use a TCP
reset when you do the block.
SnortSam does something just like this for commercial products and also
IPtables (among other packet filtering schemes), they do include the
ability to timeout a block and to whitelist IPs.