Re: Snort Triggered Shun on Cisco ASA

[Steven King <sking () kingrst com>]

Would the script be fast enough to respond to an attack? SSH on the
ASA's is fairly slow due to the back plane taking a back seat to passing
traffic. Seems that attackers might be able to at least get some
information before the script could complete its task.

Daniel, Akos wrote:
> Hi,
>
> My idea would be, but never tested (only the automatic ssh with cisco firewalls):
>
> 1. Snort alerts should be human readable, like syslog.
> 2. Use 'watch' on syslog.
> 3. Run a ssh perl script with predefined cli commands (script will log in and issue the commands) + mail perl script 
> for you (script will send a message for you what it did).
>
> In inline mode, can you block with snort as well.
>
> Regards,
> Akos
>
>
> -----Ursprüngliche Nachricht-----
> Von: Steven King [mailto:sking () kingrst com] 
> Gesendet: Dienstag, 30. Juni 2009 10:48
> An: snort-users () lists sourceforge net
> Betreff: [Snort-users] Snort Triggered Shun on Cisco ASA
>
> Has anyone configured Snort to trigger a shun command on a Cisco ASA
> device in an Inline IPS configuration or with NIDS?
>
> If so, could you please point me in the right direction to possibly
> implement this? How effective is this setup?
>
> Thanks!
>
>   

-- 
Steve King

Network Engineer - Liquid Web, Inc.
Cisco Certified Network Associate
CompTIA Linux+ Certified Professional
CompTIA A+ Certified Professional


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users