thomas lakofski <[EMAIL PROTECTED]> writes: [snip how I set up a box] > > It's pretty rarely that I see any abuse that gets as far down the chain > > as to deserve human intervention. > > that looks pretty practical. have you considered looking at something > like 'guardian' http://www.chaotic.org/guardian/ to do automated response > to selected snort rules?
I've considered it, to some extent, but in my case I figured it's best just to look at snort's logs in a bit more detail before blocking things left right & center. > it's clever enough to maintain a rolling window of blocking, so you don't > end up with a huge packetfilter and stale dynamic addresses over time... [snip] Whatever automated solution you find, it *must* a) allow me to specify some "must-not-block" networks/IP#s, eg upstream nameservers, etc b) allow me back in after a given amount of time c) never block a valid user after a false alarm - just because my snort db is filling up with `retransmission attempt's, it doesn't mean that every IP# generating an alert wants blocking. (Yes, I've got some tweaking to be doing :) ~Tim -- Cries of mercy rise like rockets |[EMAIL PROTECTED] Through the paths of the redeemed |http://spodzone.org.uk/