Re: Snort dropping packages. How to ?

[Jason <security () brvenik com>]

Be very careful using these options. Especially with virus content.

In the case of mail, the sending server will continue to attempt to 
deliver the mail until the message expires. POP users could have the 
connection to the server closed and not be able to get any mail past 
that message.

In the case of an auto propogating virus you could end up creating a 
storm of traffic as the virus will keep sending and you will keep 
attempting to close.

The good with the bad. Like any tool, you have to know how to use it.

Alberto Gonzalez wrote:
> you might want to take a look at 'resp' and or 'react'.
>
> React has the ability to implement flexible reactions for traffic that 
> matches a given snort rule. I guess the main function your looking for 
> is 'block' .
>
> Check section 2.3.22 for Resp and section 2.3.24 for React in the "Snort 
> Users Manual".
>
> hope it helps
>
>    - Albert
>
> armando () hadrion com br wrote:
>
> > Hi Guys,
> >
> > I'm with a doubt in snort, if someone can help me. ;)
> >
> > I have snort.conf using several rules. One of this files is
> > virus.rules, where i only have virus signatures. =]
> >
> > And this rules is working properly when a virus arrive (it detect
> > virus and log).
> >
> > But i like that the snort didn't log only, i like that snort log and
> > drop (delete) the package whith mismatch with a virus signature (based
> > on virus.rules). :))
> >
> > How to do it ??
> >
> > Some idea ??
> >
> > Thkz a lot.
> >
> > Best Regards.
> >
> > [ ]'s



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users