| Several intrusion detection strategies have been developed, including: - Host-based memory and process protection
-
Systems for monitoring process execution and killing processes that appear malicious; for example, processes that are trying to execute a buffer overflow. These tools are interesting, but not particularly related to Snort. - Session interception
-
Terminates a TCP session by sending an RST (reset) packet. When the flexible response plug-in is enabled, Snort can automatically terminate TCP sessions that appear to be hostile attacks using the flexible response plug in. This feature is also called session sniping. - Gateway intrusion detection
-
Snort can block hostile traffic using Snort Inline (thus acting as a router), or send messages to other routers manipulating their access lists to block hostile traffic using SnortSAM.
Figure 8-1 is Snort running as a session interceptor using the flexible response plug-in. When an attack is detected, RST packets are sent to the hosts, ending the conversation. Figure 8-1. Snort as a session interceptor Figure 8-2 shows Snort running as firewall/router/IPS. When an attack is detected, all future traffic from the attacker is blocked. Figure 8-2. Snort as a gateway IPS Figure 8-3 shows Snort running with SnortSAM. Figure 8-3. Snort managing access lists on border devices When an attack is detected, the border router is directed to block inbound traffic from the attacking host. |