RE: Snort's Blocking Capability?

[SRH-Lists <giermo () 333tech com>]

> G'Day People,

G'Day

>  * As I understand, snort monitors packets as it reaches the 
> interface,
>     but can it actually *delete* an individual packet so that 
> applications
>     do not receive it?

Not natively, but see Hogwash[0]

> And also:
>
>  * When snort's flexresp plugin is used to send connection reset
>     packages to source/destination IP, am I right in saying 
> this doesn't
>     actually stop the packet from reaching the receiving IP on our
>     network (so it is not "blocked")?

Correct, but it should stop subsequent packets in the same tcp
connection.

>  * Could a setup on the hacker's machine not simply ignore
>     connection reset packets anyway?

They could, but the RST is sent to both ends of the session.  If the
"hacker" tried to continue the session, the target would say: "Huh?,
this session is closed"

> If I understand correctly, snort doesn't work low-level enough to
> actually "block" packets from doing what they would do?  If so, are
> they any plugins or external applications that can work co-operatively
> with snort and stop packets from reaching applications on the host?

Again, see Hogwash[0].  It is an 'inline' modification that uses Snort
to "scrub" packets.

[0] http://hogwash.sourceforge.net/



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users