Snort mailing list archives
Re: Snort Capabilities
From: wkitty42 () windstream net
Date: Thu, 26 May 2016 19:59:05 -0400
On 05/26/2016 05:48 PM, Kyle Cummings wrote:
I was wondering if Snort is capable of either of the following: 1. Deny / terminate requests based on the geographic location of the IP.
why not just block actual attacks from anywhere? it is cheaper, in the long run, and allows others access if desired... you can, however, block addresses but the cost of processing (all) those rules may be too much... eg: one of the rules sets that i use has a list of TOR routers and exit nodes... we don't allow TOR access to our sites so we process the list to disable those that are listed as routers... the exit nodes are blocked... one can do this directly in snort when running inline or one can use another tool to monitor the snort alerts...
2. Detect and "block" potential DoS / DDoS attacks.
i think there's already numerous rules for (D)DoS attacks... it depends on the rules set(s) that you use... [...]
I know that the former can technically be done by a list of firewall rules. However, typing and / or maintaining such a list manually is pretty much pure insanity. So, is there any other method with Snort? Or would I have to either enter things in manually into the configuration file or maybe write a script that does it for me?
that's where the two different methods come into play... there are some tools out there that do this and snort can do it, too... just alter the rule from alert to drop and make sure the rules you are running are tweaked for the traffic running over your network... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Capabilities Kyle Cummings (May 26)
- Re: Snort Capabilities wkitty42 (May 26)