Snort mailing list archives
RE: Snort Block Plugin.
From: <CGhercoias () TWEC COM>
Date: Wed, 26 May 2004 13:36:21 -0400
Hi, What if the attack (NMAP scan) comes from the same IP address with the external interface of the firewall -- through the decoy function of NMAP, or IP spoofing. How about ARP spoofing -- Cain and Abel software, or ettercap? How this piece of software deals with these scenarios? Will this create a DOS on the firewall? Thank you, ___________________________ Catalin A. Ghercoias WEB/Network Security Administrator Office Phone: +(518) 452-1242 Ext.7435 Fax: (518) 452-4768 website: http://www.fye.com The content of this communication is classified as Trans World Entertainment Confidential and Proprietary Information. As such, it is intended solely for the use of the individual or entity to whom it is addressed and only others who are authorized to receive it. If you are not one of those, you are hereby notified that any disclosure, copying, distribution, or action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this communication and then deleting it from your system. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of akhenato () montevideo com uy Sent: Wednesday, May 26, 2004 6:46 AM To: Snort List Subject: [Snort-users] Snort Block Plugin. Hi, I want to upload a contrib software that integrates with snort. Introduction: The objetive of this project is the creation of a software that can be used to control the IP traffic arriving to a server exposed to internet throught a firewall and there is an NIDS (snort) detecting attack patterns. As the NIDS detect an attack pattern, a rule is fired that end with the creation of a filter in the firewall that drop the traffic from the source address suspected. The NIDS and the firewall are not needed to run on the same system. Description: This software provides a server and a client applications that integrates with snort to block any source IP address for a specified time. The client must be run on the snort system and is a snort plugin. The server must be installed (and running) in a system acting as a firewall (where the netfilter rules are applied). A rule must be configured in the snort rules files that fire the plugin when the defined condition is reached. I need some help to test and optimize this software, adding features like encrypted communication between client and server, and some others that can be practical for the project. ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Block Plugin. akhenato () montevideo com uy (May 26)
- Re: Snort Block Plugin. Matt Kettler (May 26)
- Re: Snort Block Plugin. akhenato () montevideo com uy (May 26)
- <Possible follow-ups>
- Re: Snort Block Plugin. Nicolas Saurbier (May 26)
- RE: Snort Block Plugin. CGhercoias (May 26)
- Re: Snort Block Plugin. Matt Kettler (May 26)