Re: snort block

[James Riden <j.riden () massey ac nz>]

"reynald" <rtm () cybees com> writes:

>    hello guys,
>
>
>
>    Can somebody tell me if it's possible to have snort block a
>    host/s when a specific rule alerted
>
>    10 times?

Yes :)

You can either use snort-inline for 'true' blocking, or you can use
flexresp2 which simply sends fake TCP RSTs to tear the connection
down, or I think there are other plugins which will add firewall rules
(e.g. for iptables or Cisco PIXs). Or you could hack up a custom perl
script to parse /var/log/snort/alert and take whatever action you like
when a particular IP address has triggered a particular rule M times
in N minutes.

I used the latter technique (with portscan.log) in a script which
would go and clobber Blaster/Welchia/Sasser infected hosts after so
many portscan alerts.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users