Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Capabilities

From: wkitty42 () windstream net
Date: Thu, 26 May 2016 19:59:05 -0400
On 05/26/2016 05:48 PM, Kyle Cummings wrote:

I was wondering if Snort is capable of either of the following:

 1. Deny / terminate requests based on the geographic location of the IP.


why not just block actual attacks from anywhere? it is cheaper, in the long run, 
and allows others access if desired... you can, however, block addresses but the 
cost of processing (all) those rules may be too much...

eg: one of the rules sets that i use has a list of TOR routers and exit nodes... 
we don't allow TOR access to our sites so we process the list to disable those 
that are listed as routers... the exit nodes are blocked... one can do this 
directly in snort when running inline or one can use another tool to monitor the 
snort alerts...


 2. Detect and "block" potential DoS / DDoS attacks.


i think there's already numerous rules for (D)DoS attacks... it depends on the 
rules set(s) that you use...

[...]

I know that the former can technically be done by a list of firewall rules.
However, typing and / or maintaining such a list manually is pretty much pure
insanity. So, is there any other method with Snort? Or would I have to either
enter things in manually into the configuration file or maybe write a script
that does it for me?


that's where the two different methods come into play... there are some tools 
out there that do this and snort can do it, too... just alter the rule from 
alert to drop and make sure the rules you are running are tweaked for the 
traffic running over your network...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: