Re: Thoughts on Snort-flex rule?

[Erek Adams <erek () snort org>]

On Sun, 26 Jan 2003, Rich Adamson wrote:

> 1. Is there a way to configure snort (eg, rules or other options) to track
> portscans, web application attacks, etc, from a single source IP address,
> and flex-respond to "all" future activity from that source for the next
> five minutes (or some other preconfigured time frame) regardless of the
> next target IP from that source?

Nope.

[...snip...]

> 2. Are there any other inexpensive hardware/software solutions (besides
> commercial firewalls, in-line linux-type boxes, etc) that would act as a
> gateway of sort, that snort could control to essentially create the
> reactive function noted in #1, above?
>
> I'm quite familiar with the delay issues of reacting to such events, and
> the risk associated with not stopping the initial scans, etc.

Snort-inline could be a GIDS for you.  It's not going to have the
timeframe setup that you want, but it would be able to drop them before
entering your net.

> 3. Anyone tried to create a tcl/snmp/other mechanism to dynamically
> modify a Cisco router access control list to accomplish the above?

Guardian [0] and SnortSam [1].

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.chaotic.org/guardian/
[1]     http://www.snortsam.net/


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users