Crackers and correlations

[Dustin Decker]

> -----Original Message-----
> From: kclug-bounces at kclug.org [mailto:kclug-bounces at kclug.org] On Behalf
> Of Brian Densmore
[snip]
> I do have a question for y'all. Is there some non-crippling
> thing I can do to my system to detect an attack and :
> 1) send me an email (optionally),
> 2) log the conversation for xxx seconds,
> 3) automatically update the firewall to block the offending
> user/script.
> Keep in mind I'm running on an antique here: Pentium Pro 200 MHz @
> 40MB RAM w/ ~8 GB of disk.

Portsentry is the knee-jerk reaction you might get from some folks.  I tend
to disagree however, as it is also frequently used to bind to other service
ports, which can make for a busier box... and reactive blocking isn't so
much a science as an art.  Any reactive system has a tendency, once an
attacker has deduced its use, to be a perfect denial of service tool.  (I.E.
if you bank at umb.com, a spoof of that IP address directed at you can black
hole it, and your significant other can't reach the website to pay bills,
etc.)

Snort can do the log conversation for xxx seconds bit you asked about - it
can log the whole thing truth be known.  If you want to get daring, you can
look at snort in-line as well.  When traffic of a particular type occurs,
you can intercept the responses from your system (or others hiding behind
your snort install) and rewrite them on the way out.  An excellent use for
this is to catch outbound scan attempts from [insert Windows worm of the
week here] infestations and kill 'em. I generally don't have this problem,
but if folks like, oh, RoadRunner.com were to do this, it would make life a
lot easier for the rest of us.

Obviously there are pluses and minuses to pretty much everything.  Paper or
plastic, Coke or Pepsi, Free or Slave, Kerry or Bush - merely illusions of
choice.  The same seems to be true of security - short of turning it off and
locking it away, there is no silver bullet.

D.