active response + managing sensors

["Marcin Laskowski" <cineklas () wp pl>]

Hi,
I want to configure Snort to reconfigure firewall
when there is attack from some IP. How should I
do it? I read sth about Snortsam, but I don`t think
it`s the best choice (there have to be 2 network 
interfaces - I have only eth0). I think that guardian 
would be better because my Snort works as HIDS. 
What do You think?

The second problem is that I would like to have
few sensors in my local network, so they could
detect attacks and log everything into database
server (mysql). I have ACID installed, but I read
somewhere that there is possiility to manage snort
rules and other options using ACID via http. 
How can I do it? 

The third problem is with iptables - how should
I configure rules in sensors? Block all ports except
the one which snort will use to log to mysql server?


-------------------------------------------
Best Regards, Marcin Laskowski