The world of intrusion detection is starting to change. People are interested in not only detecting attacks, but preventing them. This shift of focus has led to the development of a new class of security tool, the Intrusion Prevention System (IPS). While the term IPS bears the strong odor of a marketing department, the concept is attractive.
Some of the solutions on the market (advertised as IPS) are really just network IDS installed locally on servers and workstations throughout the enterprise, but some are truly designed to detect and prevent intrusions. There are several intrusion prevention strategies being developed and deployed, including host-based memory and process protection mechanisms, session interception (sniping), and network firewall/gateway solutions. The Honeynet project has done some great work with Snort Inline and similar technologies in their second generation Honeypots. You can look at their work at http://project.honeynet.org.
Several intrusion detection strategies have been developed, including:
Systems for monitoring process execution and killing processes that appear malicious; for example, processes that are trying to execute a buffer overflow. These tools are interesting, but not particularly related to Snort.
Terminates a TCP session by sending an RST (reset) packet. When the flexible response plug-in is enabled, Snort can automatically ...