At 22:39 on Jun 30, Matt Zimmerman shook the earth with: > On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: > > > Are there any projects out there to do this right now. If not, is this > > a good idea? If it is who would be a person/group that would be > > qualified and have the time/interest to develop it. > > Not really a good idea. Consider what happens when someone forges the IP > addresses.
You can combat some of this with a simple list of IP addresses/hostnames/networks that should never under any circumstances be blocked. Another problem seems to be that script kiddies aren't always doing recon before they do an attack, it seems to be fairly common lately to just run a series of scripted attacks against a range of IPs (so if you are vulnerable, you could be exploited at the same time the IDS detects the attack, if it is detected). Just need to be sure that your IDS and signatures/detection scheme is up to date, and also possibly use a TCP reset when you do the block. SnortSam does something just like this for commercial products and also IPtables (among other packet filtering schemes), they do include the ability to timeout a block and to whitelist IPs. http://www.snortsam.net -nicole
