Snort mailing list archives
RE: Wish list...
From: "Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>
Date: Tue, 21 Aug 2001 17:07:25 -0700
Once it's been denied by ipchains (and syslogged), it's too late for snort to alert on it, even if there was a real-time "API". However, you could add rules in snort beforehand to alert on all the same traffic that ipchains denies (maybe start with "pass" rules for all valid traffic- alert on everything else). Another (more exotic) option wcould be a script that could pick this up from syslog, edit the current snort rules to alert on the same IPs, ports, etc, and restart snort. This wouldn't get all the traffic, but snort would alert on future traffic to/from that source/destination IP or ports.. /Dan Hawrylkiw -----Original Message----- From: Bob Hillegas [mailto:bobhillegas () pdq net] Sent: Tuesday, August 21, 2001 10:34 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Wish list... It would be nice if ipchains <...> -j DENY -l could trigger packet capture by snort, so that I couls analyze packets stopped by the packet filter. Thanks, BobH -- ------------------------------------------------- Bob Hillegas <bobhillegas () pdq net> 281.546.9311 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Wish list... Bob Hillegas (Aug 21)
- <Possible follow-ups>
- RE: Wish list... Hawrylkiw, Dan G (Aug 21)