[Discussion] Distributed Blocking

Matt Jonkman jonkman at jonkmans.com
Sun Mar 1 15:15:50 UTC 2009


Kevin Ross wrote:

For active response the ability to specify agentless blocking devices.
i.e set up a pix/asa/iptables/pf firewall and say ssh into the device
from the master sensor, go into the correct configuration mode and then
enter in the appropriate command i.e ssh pix at firewall; enters the
password; en; enters the password; conf t; shun ip or acl. Then after a
set time remove the block. Also if it is an IPS the ability to say act
inline but also have active response such as dropping the attack and
blocking the ip or an attack is detected once drop it, if the same host
attacks again block it completely,


--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Discussion mailing list