[Bro] Intrusion prevention
vern at icir.org
Fri Aug 26 15:23:05 PDT 2005
> Will it be interfacing with a firewall like iptables (like snort-inline does) ?
It's a different API, and not directly suitable for use with something
like iptables (our approach is quite fine-grained).
Note, we already (and for a long time) run Bro in a reactive fashion, for
which the policy script can drop hostile traffic. But this isn't the full
power of an IPS since there's latency between discovering a problem and
blocking a host, so damage can still occur.
More information about the Bro