[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 'mirror' with iptables

thomas lakofski <thomas@88.net> writes:

[snip how I set up a box]
> > It's pretty rarely that I see any abuse that gets as far down the chain
> > as to deserve human intervention.
> 
> that looks pretty practical. have you considered looking at something
> like 'guardian' http://www.chaotic.org/guardian/ to do automated response
> to selected snort rules? 

I've considered it, to some extent, but in my case I figured it's best just
to look at snort's logs in a bit more detail before blocking things left
right & center.

> it's clever enough to maintain a rolling window of blocking, so you don't
> end up with a huge packetfilter and stale dynamic addresses over time...
[snip]

Whatever automated solution you find, it *must* 
a) allow me to specify some "must-not-block" networks/IP#s, eg upstream
   nameservers, etc
b) allow me back in after a given amount of time
c) never block a valid user after a false alarm - just because my snort db
   is filling up with `retransmission attempt's, it doesn't mean that every
   IP# generating an alert wants blocking. (Yes, I've got some tweaking to
   be doing :)

~Tim
-- 
Cries of mercy rise like rockets            |piglet@stirfried.vegetable.org.uk
Through the paths of the redeemed           |http://spodzone.org.uk/
Reply to: