Snort mailing list archives
Re: Block Conncection
From: Alberto Gonzalez <albertg () cerebro violating us>
Date: Sat, 07 Dec 2002 03:05:00 -0800
Well, the Resp[1] keyword doesn't "block" connections, it has the ability to send rst packets and or ICMP error messages. I don't consider this blocking(IE: dropping the packet, no response). The manual illustrates 2 examples of using the Resp keyword within a rule. You can choose multpiel modifiers at the same time. To block connections (some might agree that this is bad) I suggest you either employ SnortSam[2] and or Hogwash[2]. I've played with the Resp keyword, not much.
What was the result you got from your tests? The very few ones I did actually got some nice results. I'm a fan of hybrid solutions (dont want to get into the IPS stuff.) Hopefully the technology will grow from here. Hope my 2 cents help you out!
Cheers! - Alberto [1] - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.22 [2] - http://www.snortsam.net [3] - http://hogwash.sourceforge.net Atul Shrivastava wrote:
*Hi,**Can anyone tell me how can we block certain connection, let sat that I want to block every connection for telnet that uses username "root"**Can anybody give me the rule. This will illustrate me the use of "react" keyword. I know that this keywork works with three modes: 1. Block the source 2. Block the Destination 3. Block both of them.**I have also used them but not get the desired result. Please tell me the required and efficient rule if somebody has tested it fully.**Thnaks in advance.* *Regards and have a nice day,* * Atul Shrivastava*
-- The secret to success is to start from scratch and keep on scratching. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- to block intruders Coelho, Wagner (Dec 05)
- Re: to block intruders Alberto Gonzalez (Dec 05)
- Block Conncection Atul Shrivastava (Dec 07)
- How to use the Various Outplugins present in the SnortCenter Atul Shrivastava (Dec 07)
- Re: How to use the Various Outplugins present in the SnortCenter Alberto Gonzalez (Dec 07)
- Re: Block Conncection Alberto Gonzalez (Dec 07)
- How to use the Various Outplugins present in the SnortCenter Atul Shrivastava (Dec 07)