SnortSam Block on all snort/barnyard2 alerts by default

[Robert Z <robrob2626 () yahoo com>]

Is there a way to block all snort/barnyard2 alerts by default with snortsam plugin patch.

If not how hard would it be to add such a option to the snortsam patch ?

The reason I am asking is that managing "sid-block.map" file with over 21000 sids seems overly complex.

A good solution would be to;

1. add an option like so: "output alert_fwsam: 127.0.0.1:898/mypassword blockoption:src,15min"
    All snort/barnyard2 alerts would be blocked by default for 15 min by source.


2. If  "sid-block.map" is detected the default would be overridden by sid.

3. If rulefile.rules has a "fwsam: src, 5 minutes" option that would override deafult, sid-block.map.

4. If there is a override sid in snortsam.conf that would override the "sid-block.map" file, default and rulefile.rules 
option.

The point of all this would be to minimize the amount of sid block times we would have to track on every rule database 
update.


I would like to hear your thoughts on this.
Robert

------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation