Firewalling Suspicious Traffic in Real Time

With Swatch and Syslog-ng you've got a way to monitor logs as they're written and execute commands based on what those log entries contain. You're probably thinking, "Why, I could use this to dynamically change my firewall rules to block all those baddies from hitting my network!" Technically, you'd be right. In fact, we've done exactly this step in the past and gotten it to work. However, it borders on the bailing wire and duct tape model of network engineering, and isn't recommended.

Here's another place where the open-source model comes to the rescue. Because the developers of Snort concentrate their efforts on making Snort the best traffic analysis system possible, they don't worry about other tasks that folks might like Snort to handle. Instead, they make the source code freely available for anyone to tinker with and leave the optional extras up to other folks on the Net. One result is the SnortSam tool for blocking attacks.

Was this article helpful?

0 0

Post a comment