Snort mailing list archives
Re: Snort's Blocking Capability?
From: Erek Adams <erek () snort org>
Date: Fri, 28 Mar 2003 15:05:43 -0500 (EST)
On Fri, 28 Mar 2003, Thop (Thomas Hesketh-Roberts) wrote:
* As I understand, snort monitors packets as it reaches the interface,
but can it actually *delete* an individual packet so that applications
do not receive it?
Nope.
* In further words, is snort capable of effectively "blocking" activity
from a particular IP address?
Nope. Snort is a packet sniffer, logger and an IDS. Blocking is best handled by something else: Snort-inline, Hogwash or SnortSam.
* When snort's flexresp plugin is used to send connection reset
packages to source/destination IP, am I right in saying this doesn't
actually stop the packet from reaching the receiving IP on our
network (so it is not "blocked")?
No, it might. There is no guarantee...
* Could a setup on the hacker's machine not simply ignore
connection reset packets anyway?
Well you could ignore them, but unless you rewrite your own TCP/IP stack, it's not terribly usful.
If I understand correctly, snort doesn't work low-level enough to actually "block" packets from doing what they would do? If so, are they any plugins or external applications that can work co-operatively with snort and stop packets from reaching applications on the host?
No, Snort is 'low level' enough. It's just not designed to do that. As for other packages, see above. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort's Blocking Capability? Thop (Thomas Hesketh-Roberts) (Mar 28)
- Re: Snort's Blocking Capability? Erek Adams (Mar 28)
- Re: Snort's Blocking Capability? Jason Haar (Mar 30)
- <Possible follow-ups>
- RE: Snort's Blocking Capability? SRH-Lists (Mar 28)
- RE: Snort's Blocking Capability? Steve Halligan (Mar 28)
- Re: Snort's Blocking Capability? Erek Adams (Mar 28)