Also check out PacketHound from Palisades Systems (http://www.packethound.com) - pretty cool.
-- Brent -----Original Message----- From: McCammon, Keith [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 05, 2002 2:00 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IDS that retaliates. This is generally referred to as Active Response. In most cases (commercial IDS), this involves the IDS sending TCP RST packets to both ends of the connection so that the connection is destroyed and cleared from the buffers. This is also the extent to which most commercially-available IDSs "retaliate." Snort does this, as do ISS and several other popular systems. Now if you're referring to launching counter-attacks or similar offensives in response to alerts, this isn't going to go mainstream in the near future. There are a number of reasons for this, but most notably is the fact that (in the U.S., anyway) intrusive retaliation is, technically, every bit as illegal as the act that provoked it in the first place. I, too, have heard of government and defense projects that are developing (and refining) intrusive response of technology, but realize that the details of such systems would not likely be publicized.