Snort mailing list archives

Re: third party utility to kill ...

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 31 Jan 2002 13:42:36 -0500

The snort FAQ describes why trying to invoke an external process from anIDS is a generally bad idea (hint: this creates a security hole that allowsyour IDS to be bypassed by causing it to waste so much time invokingprocesses it starts missing packets.).


Read the faq:

http://www.snort.org/docs/faq.html#5.9

And yes, the FAQ mentions a bit about the speed of this on windows, butit's not acceptably fast to do in *nix either.


At 04:18 PM 1/30/2002 -0600, Ronneil Camara wrote:

I would like to kill a tcp connection other than making use of flexresp.
I want to make use of tcpkill by Dugsong.

Is there a way I can call this program once an alert, say web-iis cmd.exe,
is sensed by snort, then snort is going to execute tcpkill -9 <target_ip>?



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

third party utility to kill ... Ronneil Camara (Jan 30)
- <Possible follow-ups>
- Re: third party utility to kill ... Matt Kettler (Jan 31)
- RE: third party utility to kill ... Ronneil Camara (Jan 31)
- RE: third party utility to kill ... Matt Kettler (Jan 31)
- RE: third party utility to kill ... Ronneil Camara (Jan 31)