[c-nsp] temporary static routes
Jeff Kell
jeff-kell at utc.edu
Tue Jan 6 13:29:50 EST 2009
Church, Charles wrote:
> Policy route with a time-based ACL maybe? Just a thought...
Snortsam can do this (http://snortsam.net). It's really a plugin for
snort, plus a "server" that manages timed blocks on a variety of
firewalls/devices. You can insert the blocks via a command-line utility
though, no snort needed. Theres a plugin for null routes that does this
explicitly, as well as a PIX/ASA plugin that will do shuns the same way.
There's always the possibility of things getting out of sync... null
route issued without the negating "no" equivalent at the proper time. I
had somewhere on my to-do list trying to modify that null route plugin
to add a specified "tag" value to the route to mark it for "cleanup"
purposes (e.g., show run | incl ip route.*Null0 tag 12345). The plugin
also does a "write mem" after each change (which might be better off
omitted, especially if you have a voluminous feed).
Of course the ultimate solution would be a BGP-peering feed of IPs to
null that also did the timeouts for you, but as far as I know, that's
still the great pie in the sky :-)
Jeff
More information about the cisco-nsp
mailing list