8.1 Intrusion Prevention Strategies

Several intrusion detection strategies have been developed, including:

Host-based memory and process protection

Systems for monitoring process execution and killing processes that appear malicious; for example, processes that are trying to execute a buffer overflow. These tools are interesting, but not particularly related to Snort.

Session interception

Terminates a TCP session by sending an RST (reset) packet. When the flexible response plug-in is enabled, Snort can automatically terminate TCP sessions that appear to be hostile attacks using the flexible response plug in. This feature is also called session sniping.

Gateway intrusion detection

Snort can block hostile traffic using Snort Inline (thus acting as a router), or send messages to other routers manipulating their access lists to block hostile traffic using SnortSAM.

Figure 8-1 is Snort running as a session interceptor using the flexible response plug-in. When an attack is detected, RST packets are sent to the hosts, ending the conversation.

Figure 8-1. Snort as a session interceptor

Figure 8-2 shows Snort running as firewall/router/IPS. When an attack is detected, all future traffic from the attacker is blocked.

Figure 8-2. Snort as a gateway IPS

Figure 8-3 shows Snort running with SnortSAM.

Figure 8-3. Snort managing access lists on border devices

When an attack is detected, the border router is directed to block inbound traffic from the attacking host.