From owner-freebsd-security Mon Jun 24 17:15: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id 72F3A37B400 for ; Mon, 24 Jun 2002 17:15:05 -0700 (PDT) Date: Mon, 24 Jun 2002 20:15:00 -0400 From: Klaus Steden To: Scott Ullrich Cc: freebsd-security@FreeBSD.ORG Subject: Re: automated blackholing Message-ID: <20020624201500.P589@cthulu.compt.com> References: <2F6DCE1EFAB3BC418B5C324F13934C96016C9E96@exchange.corp.cre8.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2F6DCE1EFAB3BC418B5C324F13934C96016C9E96@exchange.corp.cre8.com>; from sullrich@CRE8.COM on Mon, Jun 24, 2002 at 07:55:55PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > FWIW, this could be done very easily with snort and the guardian perl > script. You could simply craft a snort rule for the particular port and > then change guardian to lookup host ip's on detection of the rule. If they > are listed in the file, deny them with ipfw. > > Is this more up your alley? > Yeah, it sounds like what I'm after, but based on the number of questions that asked "what exactly do you want to do?", I've been convinced that I'm over-complicating the situation, and simply blackholing what I've got listed in my /etc/hosts.deny should be enough. Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message