Snort mailing list archives
Re: react: block not working
From: "Micheal.Cottingham" <micheal.cottingham () svccchr1 sv vccs edu>
Date: Fri, 06 Feb 2004 15:13:05 -0500
At 09:25 AM 2/6/2004, Micheal.Cottingham wrote:
As per the subject, react: block does not seem to be working. ACID is still picking up the alerts even though react: block is set. An example rule is: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ICMP Large ICMP Packet"; dsize: > 800; react: block; reference: arachnids, 246; side: 499; rev: 3 classtype: bad-unknown;)
You probably need to get a MUCH better understanding of what react:block does before you use it further.
http://www.snort.org/docs/snort_manual/node16.html#SECTION00374000000000000000
1) react:block is NOT a firewall 2) react:block will NOT stop subsequent attempts 3) react:block will not prevent the current packet alerted on from entering your network. 4) react:block does nothing useful when used on ICMP packets.
React:block _does_ however _attempt_ to reset a connection by using the flexresp system. This, if successful, prevents any more data in the given session from entering your network.... ICMP messages are sessionless, and there's little of any value that can be done to them after-the-fact.
Figures I missed something. heh. We do have two Cisco PIX, one primary, one failover for this site of our institution. However, for various reasons, we need IDS/IPS. I realize we can make the firewall do some of the stuff for us. However, there have been some things that the firewall would not be able to do. At 09:25 AM 2/6/2004, Micheal.Cottingham wrote:
am doing this for other things such as MSSQL Propogation Attempt, NMAP Ping, etc. I especially want to block ICMP Large Packet as the TTL's have been modified, and the payload is a bit screwy to say the least. MSSQL Propogation Attempt is another big one on my list. I am in a pure windows environment and my boss is not favorable of *nix, so hogwash is out of the question I'm afraid. snort-inline is also just *nix if I am not mistaken, is it not? I am using Snort 2.1. Any help would be greatly appreciated
Whoops, sorry, missed the second half...
Really, since Windows doesn't come with a flexible scriptable firewall, there's little that you can do directly on a windows box itself.
If you must stick to windows-only you can buy a copy of CheckPoint FW/1 for your Windows box and use snortsam.
Believe me, if I had my way, we'd be on at least some *nix machines, if not all.
Although for the money I'd recommend not buying FW/1 and getting a separate firewall box and have snortsam command that. For the price of FW/1 you should be able to buy a Cisco PIX or Watchguard firebox. From what I read on the net, Checkpoint can be pretty pricey.
Yeah, as I said above, we do have two Cisco PIX firewalls, but for various reasons, we need IDS/IPS.
Snortsam can handle a variety of firewalls and can run with snort on a windows box : http://www.snortsam.net/
Thank you. I'll take a look at this. Will this provide what we want? As I mentioned before, we want to block/drop ICMP, UDP, and TCP packets. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- react: block not working Micheal.Cottingham (Feb 06)
- Message not available
- Re: react: block not working Matt Kettler (Feb 06)
- Message not available
- Message not available
- Re: react: block not working Matt Kettler (Feb 06)
- <Possible follow-ups>
- Re: react: block not working Micheal.Cottingham (Feb 06)