Snort as IPS and correlation

[Daniel Lopez <danilogo1991 () gmail com>]

Hi
I have the following question about snort:
I have snort configured to perform some tasks of active response,
like closing tcp sessions, and modifying Iptables's rules through snortsam.

I would like to know if it's possible make the system work following this
steps:

1- Snort receive a packet that matches with a rule [RULE A] (RULE A
includes blocking source address in iptables through snortsam)

2- Action for [RULE A] stands in "standby" until another rule [RULE B] is
matched

3- Once [RULE B] is matched, then [RULE A] performs actions configured on
it.

Is this possible?
How can I do it?
Is there any other way to perform this?
Thanks

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!