[zorp] Zorp IDS functionality

Balazs Scheidler bazsi@balabit.hu
Thu, 26 Jul 2001 18:07:17 +0200

> Hello!
> I have a little question.
> Is it possible to lock out an ip address from the communication for a
> while, if the zorp detects that some error repeated in the communication.
> (for example: There is WEB server in DMZ. The "bad guy" try some evil URL,
> and for the first x times  the WEB server said some error, before the "bad
> guy" find a hole. Zorp detects the "error" answares from the WEB server and
> closes the communication with the "bad guy"s ip address for a "configurable
> time", if x > "a configurable parameter".
> So, I think it is possible with zorp, but I have a very limited phyton
> programming skill. So could anybody write an examply policy.py???

Of course it is possible ;) first of all you must define who a bad guy is.

someone posting requests frequently with non-200 return codes (the OK return
code in HTTP). Or someone posting suspicious filenames (containing
/etc/passwd for example). Once this is defined, you have to hook into 
the appropriate events.

Afterwards you will need a hash table containing bad guys. The index will be
the IP address, and the value is the number of times that given IP address
did something bad.

Each suspicious event increments this value, and once it reaches a
threshold, further requests should be denied. An additional control should
be added, to decrement this threshold, for example 1% in each minute.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1