[c-nsp] ACLS for Virus
Jeff Kell
jeff-kell at utc.edu
Sun Sep 17 15:56:46 EDT 2006
Netfortius wrote:
> I would look for something similar to snort_inline
> (http://snort-inline.sourceforge.net/) associated with rules specifically
> developed as AV (http://www.bleedingsnort.com/ --> look AV category up on
> this site). I have personally used bleedingsnort for just triggering info (I
> am not a fan of automated blocking, as I believe clever attackers could use
> that as a DOS tool) about viruses, especially when I knew the community
> developed signatures (even if imperfect) way before AV vendors had a clue,
> but I also know that snort may also have plugins to change third party
> firewalls rules on the fly (I have done something like this for a client
> using Checkpoint, a few years back), so I am thinking that writing
> *Cisco-ACLs-on-the-fly* may have already been attempted.
Look into the snortsam plugin (http://www.snortsam.net) for snort. This
provides a separate daemon to receive specified alert notifications from
snort signatures to generate timed blocks in a variety of
firewalls/appliances. Plugins are available for the snortsam daemon to
generate ACLs, null routes, or PIX/ASA shuns.
Jeff
More information about the cisco-nsp
mailing list