On Thu, 17 Aug 2006, Jordan Medlen wrote:
I'm sure most people on this list have heard of or use snort. There is an add-on package called snortsam. This package allows automation of blocking traffic deemed malicious via a null route statement or ACL statement. We have been in the process over the last month of implementing this on our network with much success. I think the only problem that we have had with it thus far is underestimating just how well it was actually going to work. As with any snort implementation, it takes time to tweak and tune the rule sets, however we have managed to kill a huge amount of traffic either coming from our customers or destined to our customers. While this is not a perfect system, it is much better than idly sitting there and letting the abuse continue.
--- Jordan Medlen Chief Technology Officer and Architect Sago Networks
Is this the kind of thing that could get a boost from projects like ThreatNet (http://www.ali.as/threatnet/)? I've been peripherally involved with the project, mostly in chasing conceptual issues and hammering out the trust relationship details, in addition to being an rabid, er, avid developer of network management tools, right down to near-real time log analyzers. I think that if you're to a point that you trust your tools enough to make an informed decision and automate your null routes, why not expand on that and use the same networked intelligence the C&C's embody? - billn