Snort mailing list archives
Re: Question on snort redirecting
From: Owen McCusker <mccusker () sonalysts com>
Date: Wed, 4 Feb 2004 16:10:50 -0500
Check out the Unix domain socket output. Setup your own listener to receive data. Then you can mirror alerts from the Snort IDS. There is also some opensorce proxy software out there to facilitate forwarding. But, since Snort is passive, that is interprets all traffic, and is not like an "active" firewall, that uses proxys to manage connections that can effect routing, it cannot "reroute" the traffic. It can only "mirror" certain types of data about the traffic that have been detected by the system using various rules. The data can be the traffic itself as represented by tcpdump format., depending on how you have the output, plugins configure (tcpdump - binary data). There may be projects out there that combine routing and IDS. I think the baitnswitch goes down that road from t the previous post. If you start forwarding traffic associated with an attack you may also want to check out the threshold capabilities in Snort. You may indirectly create a DOS on yourself if there is a lot of data from through your "forwarding" systems. Owen
Hi All, Can snort redirect packet or traffic to other computer? My case is: Attacker->linux box(with snort)----Internal(computer A and B) Suppose an attacker is to attack my linux box. Can I forward the attacker's traffic to computer A in my Intarnet? At the same time, normal traffic to computer B? As you know, I don't know the attacker's IP before it attack. How can I redirect it? Do I need to read from the snort database? Can snort know how to redirect? or Do I need to write some scripts? Many Thanks! Best, Fred _________________________________________________________ ïKéEãZÅAàâÃÅAè¨êØêØ... òQñüóÈþ èÓêSòA¥ http://ringtone.yahoo.com.hk/ ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question on snort redirecting WAN FAT WU (Feb 04)
- Re: Question on snort redirecting Jack Whitsitt (jofny) (Feb 04)
- Re: Question on snort redirecting Owen McCusker (Feb 04)
- Re: Question on snort redirecting Matt Kettler (Feb 04)