[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Snort and FW-1 .. feasible?
On a side note. I am sure this has been discussed here before, but I am going to mention it again. Running a script to automatically block a host is a dangerous thing. If I spoof the IP address of say, all the root domain servers, and you automatically block those addresses, then I have effectivly shutdown your network. A beautiful dos attack. On Wed, 13 Dec 2000, Lance Spitzner wrote: > > On Wed, 13 Dec 2000, Imre Kertesz wrote: > > > I am interested in the process by which intrusion detection products > > such as RealSecure dynamically push rules to FW-1. I want to use other > > intrusion detection apps, such as Snort, to work with FW-1 in the same > > capacity. I assume that this will involve getting the interface API and > > coding some custom linking apps. Is there an easier way to do this? > > Much easier, just integrate the use of SAM. I've created a FW-1 script > that does just this, http://www.enteract.com/~lspitz/intrusion.html. > > With snort, one of the things you can have it do is log alerts to > a log file, such as /var/adm/messages. Then have swatch monitor > the alerts and call on SAM when a specific signature(s) are met. > > hope that helps > > lance > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > -- HEY! I'm a guy like me! --Homer ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|