Snort mailing list archives

RE: Blocking individual IP's

From: Frank Knobbe <fknobbe () knobbeits com>
Date: 13 Apr 2002 16:43:51 -0500

On Thu, 2002-04-11 at 09:23, Ronneil Camara wrote:

It's nice to hear that Snort can talk to Checkpoint. There is actually one, snortsam.
But you would never want legitimate or trusted parties not to talk to your network
anymore. What I meant was ip spoofing. Someone can just pretend that they're coming
from this network. I would suggest you do the blocking manually.



Hey Ronneil,

that's why SnortSam has the DONTBLOCK statements so you can prevent the
accidental block of vital networks.

To James:

I would continue to block for short durations with SnortSam. If you
recognize evil IP's repeatedly, block those manually with rules on your
FW-1 (One of my first rules is  KnownScanners / any / any / drop /
nolog).

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Blocking individual IP's O'Brien, James (Apr 11)
- <Possible follow-ups>
- RE: Blocking individual IP's Omolayo Salako (Apr 11)
- RE: Blocking individual IP's Sean T. Ballard (Apr 11)
- RE: Blocking individual IP's Ronneil Camara (Apr 11)
  - RE: Blocking individual IP's Frank Knobbe (Apr 13)