Snort mailing list archives
[snort-users] Blocking with a PIX
From: d.deboni () edexter it
Date: Tue, 11 May 2004 15:44:52 +0200
Hi to everyone, I've configured snort with snortsam to block attacks from the outside. It worked all perfectly when I tried it on a Cisco Router. But now I need to do that with a Cisco PIX. Here's the snortsam.conf file: accept 127.0.0.1 pix <PIXIP> <TELNETPASSWORD> <ENABLEPASSWORD> When I try to launch both snort and snortsam I see these messages, and it seems that snortsam is applying the rules on the pix: Checking for existing state file: Present. Reading State Starting to listen for Snort alerts. Accepted connection from 127.0.0.1 Accepted connection from 127.0.0.1 Adding sensor 127.0.0.1 to list. Blocking host <IP> completely for 7200 seconds Accepted connection from 127.0.0.1 Blocking host <IP> completely for 7200 seconds Accepted connection from 127.0.0.1 Blocking host <IP> completely for 7200 seconds and so on... By the way if I look at the Pix configuration there are no rules applied. I know that the PIX Plugin use the shun command to block IP, and if i try it manually on the Pix it works. I've tried to disable telnet for the Snort/Snortsam server on the Pix to see if Snortsam works anyway. If I do that SnortSam says it can't connect to Pix. So it seems that SnortSam "works".... Thanks for help Davide De Boni Email: d.deboni () edexter it e.Dexter S.P.A. C.so Risorgimento 5 28823 Ghiffa (VB) ITALIA Tel +39.0323.407733 Fax +39.0323.53558
Current thread:
- [snort-users] Blocking with a PIX d . deboni (May 11)
- <Possible follow-ups>
- RE: [snort-users] Blocking with a PIX Hutchinson, Andrew (May 11)
- RE: [snort-users] Blocking with a PIX d . deboni (May 11)
- RE: [snort-users] Blocking with a PIX d . deboni (May 11)