Hello!

I have a little question.

Is it possible to lock out an ip address from the communication for a while, if the zorp detects that some error repeated in the communication. (for example: There is WEB server in DMZ. The "bad guy" try some evil URL, and for the first x times the WEB server said some error, before the "bad guy" find a hole. Zorp detects the "error" answares from the WEB server and closes the communication with the "bad guy"s ip address for a "configurable time", if x > "a configurable parameter".

So, I think it is possible with zorp, but I have a very limited phyton programming skill. So could anybody write an examply policy.py???

Of course it is possible ;) first of all you must define who a bad guy is. someone posting requests frequently with non-200 return codes (the OK return code in HTTP). Or someone posting suspicious filenames (containing /etc/passwd for example). Once this is defined, you have to hook into the appropriate events. Afterwards you will need a hash table containing bad guys. The index will be the IP address, and the value is the number of times that given IP address did something bad. Each suspicious event increments this value, and once it reaches a threshold, further requests should be denied. An additional control should be added, to decrement this threshold, for example 1% in each minute. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1