RE: Question about Alerts

["Miller, Eoin" <Miller () fhlb-of com>]

you might want to checkout inline snort / hogwash:

http://hogwash.sourceforge.net/

if a packet matches something in the list of snort alerts it will drop it, log it and pass it, or ignore it. this can 
be done even with out IP support on the box.

> -----Original Message-----
> From: Joe Giles [mailto:jgiles () joeman1 com]
> Sent: Monday, October 28, 2002 12:37 PM
> To: Snort-List
> Subject: [Snort-users] Question about Alerts
>
>
> I think I have seen this question before, but I'll ask again. Is there
> anyway to incorporate Snort with IPTABLES is order to drop 
> selected ip's
> that generate an alert? 
>
> Example:
> I get a KLEZ incoming alert. I would like to have that passed to
> IPTABLES to DROP that IP address long enough to not allow the virus to
> get transfered, then reopen the IP till the next alert. Or something
> along those lines..
>
> Thoughts?
>
> Thanks
>
> Joe
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users