The MetaFlows Design Team has developed an active response system that lets subscribers disrupt TCP (and sometimes UDP) sessions with a sensor deployed as a passive device. It works great for enforcing network usage policies associated with particular snort rules (like Bittorrent, drop-box, etc.) or simply to block particular hosts that should not be on the network. The active response mechanism works by injecting spoofed TCP reset packets into the network (and other things). Every time something is blocked, log message associated with that action will appear in the MetaFlows interface. In order for the passive response system to actually actively block, subscribers will need to modify the sensor configuration and enable the “Isolate” checkbox. Leaving the checkbox off will only simulate the actions and log what it wold have blocked.
Whether inline or as a active response, the default block rules are not turned on. It is up to the customer to decide what should be blocked.
For answers to any questions about the Isolate Plugin or Soft IPS, please contact the MetaFlows Design Team at firstname.lastname@example.org.