8.1 Intrusion Prevention Strategies
detection strategies have been developed, including:
- Host-based memory and process protection
Systems for monitoring process execution and killing processes that
appear malicious; for example, processes that are trying to execute a
buffer overflow. These tools are interesting, but not particularly
related to Snort.
- Session interception
Terminates a TCP session by sending an RST (reset) packet. When the
flexible response plug-in is enabled, Snort can automatically
terminate TCP sessions that appear to be hostile attacks using the
flexible response plug in. This feature is also called
- Gateway intrusion detection
Snort can block hostile traffic using Snort Inline (thus acting as a
router), or send messages to other routers manipulating their access
lists to block hostile traffic using SnortSAM.
Figure 8-1 is Snort running as a
using the flexible response plug-in. When an attack is detected, RST
packets are sent to the hosts, ending the conversation.
Figure 8-1. Snort as a session interceptor
Figure 8-2 shows Snort running as
firewall/router/IPS. When an attack is
detected, all future traffic from the attacker is blocked.
Figure 8-2. Snort as a gateway IPS
Figure 8-3 shows Snort running with
Figure 8-3. Snort managing access lists on border devices
When an attack is detected, the border router is directed to block
inbound traffic from the attacking host.