Snort mailing list archives
Re: snort block
From: James Riden <j.riden () massey ac nz>
Date: Wed, 01 Dec 2004 15:13:06 +1300
"reynald" <rtm () cybees com> writes:
hello guys, Can somebody tell me if it's possible to have snort block a host/s when a specific rule alerted 10 times?
Yes :) You can either use snort-inline for 'true' blocking, or you can use flexresp2 which simply sends fake TCP RSTs to tear the connection down, or I think there are other plugins which will add firewall rules (e.g. for iptables or Cisco PIXs). Or you could hack up a custom perl script to parse /var/log/snort/alert and take whatever action you like when a particular IP address has triggered a particular rule M times in N minutes. I used the latter technique (with portscan.log) in a script which would go and clobber Blaster/Welchia/Sasser infected hosts after so many portscan alerts. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort block reynald (Nov 30)
- Re: snort block James Riden (Nov 30)
- Re: snort block Pedro Fortuna (Nov 30)
- Re: snort block James Riden (Nov 30)