RE: Wish list...

["Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>]

Once it's been denied by ipchains (and syslogged), it's too late for snort
to alert on it, even if there was a real-time "API".  

However, you could add rules in snort beforehand to alert on all the same
traffic that ipchains denies (maybe start with "pass" rules for all valid
traffic- alert on everything else).  Another (more exotic) option wcould be
a script that could pick this up from syslog, edit the current snort rules
to alert on the same IPs, ports, etc, and restart snort.  This wouldn't get
all the traffic, but snort would alert on future traffic to/from that
source/destination IP or ports..

/Dan Hawrylkiw

-----Original Message-----
From: Bob Hillegas [mailto:bobhillegas () pdq net]
Sent: Tuesday, August 21, 2001 10:34 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Wish list...


It would be nice if ipchains <...> -j DENY -l could trigger packet capture
by snort, so that I couls analyze packets stopped by the packet filter.
Thanks, BobH

-- 
-------------------------------------------------
Bob Hillegas
<bobhillegas () pdq net>
281.546.9311


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users