Re: Block

[Matt Kettler <mkettler () evi-inc com>]

At 11:16 AM 2/16/2004, 
Israel_Guadalupe_Lopez_Mascorro../Administracion/Jalisco@jalisc wrote:
> Hi I would like to know if with snort or some plug I can block attacks or
> virus

For viruses, I'd really recomend NOT using snort to control these... 
install a copy of clamav or some other virus scanner on your SMTP gateway 
and make all mail go through it.

For attacks, there are 3 different tools that expand snort to have blocking 
capability., with different limitations and degrees of capability:

1) flexresp
        -not 100% reliable, but comes with snort, all you need is 
--with-flexresp for your config. Relies on attempting to desynchronize or 
reset TCP connections, or using ICMP error messages to make one or both 
systems give up on the conversation.

2) snort-inline
        - linux kernel specific at the moment, but does true kernel-level 
firewall interaction as packets arrive.

3) snortsam
        - supports a wide variety of firewalls, but acts slightly after 
the fact. This means the packet that contained the trigger gets passed, but 
subsequent packets will get blocked, limiting the impact of the exposure.



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users