Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Can I create a dynamic BLOCK based on "sensor IP's"

To: "Patrick Coomans" <[email protected]>
Subject: Re: [FW1] Can I create a dynamic BLOCK based on "sensor IP's"
From: [email protected] (Carl E. Mankinen)
Date: Mon, 8 Jan 2001 09:26:29 -0500
Cc: <[email protected]>
References: <[email protected]>
Sender: [email protected]

You can setup a HONEYPOT server and then just turn on CPMAD.

CPMAD will actively block hosts that it detects are hostile, and this is part of

FW-1, however it is somewhat simplistic at best.

This brings us to a question I have not heard a lot of answers or opinions on.

Everyone is producing all these tools for controlling access to information, detecting

unauthorized access or malicious activity, and even the grey hat tools (which

everyone here should get familiar with...). However, it doesn't seem like there is a lot

of information on best practices for RESPONSE to intrusion attempts etc.

Do you take the approach of just quietly monitoring your systems and only on

severe breach contact authorities and abuse depts, or do you act quickly on all

cases? Do you have a layered approach where you consider some things not worth

reporting and others as worthy of reporting? Do you report people for simply nmap

scanning your network?

I would be curious to hear what people here have to say, but it would probably be best

that you don't post your replies along with info that would identify which company you

work for...since this list is archived and public....heh

My feeling is that if you do not excercise your response systems often enough you

might become complacent and trust your basic monitoring tools too much.

I think it's best to setup some honeypots and put them up front and in the middle.

Watch them closely, but do not act too quickly. Give them a rope to hang themselves

with. If you automatically block their source address when they perform a scan, it will

become very apparent to them that they have a firewall monitoring their actions.

----- Original Message -----

From: Patrick Coomans

To: [email protected]

Sent: Monday, January 08, 2001 3:34 AM

Subject: [FW1] Can I create a dynamic BLOCK based on "sensor IP's"

Hi,

I would like to create some fake "sensor" IP addresses on a FW1 and create a dynamic BLOCK on the source IP address of those who try to connect to specific ports on this address.

E.g. I would like to add an address and listen for FTP connect attempts. If an attempt is logged, I would like FW1 to execute a BLOCK on the source IP address.

I know that I've seen some kind of scripting in the past to accomplish this, but I cannot find any references to them anymore.

All suggestions are welcome!

Thx,

Patrick

References:
- [FW1] Can I create a dynamic BLOCK based on "sensor IP's"
  - From: "Patrick Coomans" <[email protected]>

Prev by Date: [FW1] Logswitch on Provider-1
Next by Date: [FW1] Problem upgrading Nokia to Ipso 3.3
Previous by thread: [FW1] Can I create a dynamic BLOCK based on "sensor IP's"
Next by thread: [FW1] Migrate NT fw1 to SOLARIS ... and keep the rulebase?
Index(es):
- Date
- Thread