Snort mailing list archives
Re: snort and BGP
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 11 Oct 2013 11:41:54 -0600
On 2013-10-11 11:19, Jeff d'Ambly wrote:
Is anyone using snort to signal an upstream provider via BGP for the black holing of traffic? For example if you get DDOS'd do you want your internet providers to block the traffic? --Jeff
I'm putting this one into production soon at points where I should never see BGP: alert tcp any any -> any 179 (msg:"BGP seen on Network"; flow:stateless; classtype:bad-unknown; sid:xxxxxxx; rev:1;) add the below to your threshold.conf file for how often you want to see this: event_filter gen_id 1, sig_id xxxxxxx, type limit, track by_src, count 1, seconds 1200 I thought about adding a flags:S; but thought eh...might as well see it all :) You'll want to change the xx's to however you have your private SID's as. James ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort and BGP Jeff d'Ambly (Oct 11)
- Re: snort and BGP James Lay (Oct 11)
- Re: snort and BGP Jeff d'Ambly (Oct 15)
- Re: snort and BGP James Lay (Oct 11)