Re: Snort as IPS and correlation

[James Lay <jlay () slave-tothe-box net>]

On 2015-04-10 10:26 AM, Daniel Lopez wrote: 

> Hi
> I have the
following question about snort:
> I have snort configured to perform
some tasks of active response,
> like closing tcp sessions, and
modifying Iptables's rules through snortsam. 
> I would like to know if
it's possible make the system work following this steps:
> 1- Snort
receive a packet that matches with a rule [RULE A] (RULE A includes
blocking source address in iptables through snortsam)
> 2- Action for
[RULE A] stands in "standby" until another rule [RULE B] is matched
>
3- Once [RULE B] is matched, then [RULE A] performs actions configured
on it.
> Is this possible?
> How can I do it? 
> Is there any other
way to perform this?
> Thanks

I use Simple Event Correlator for things
like this: 

http://simple-evcorr.sourceforge.net/ [1] 

Caveat is that
you'll have to have snort logging to a flat file (I do to both a fast
file and syslog). Look at the pdf's linked on the page and pay special
attention to the types...you can totally have a rule that says "Do
something when rule A hits, and then if rule B hits within 10 minutes do
something else". 

James 

 

Links:
------
[1]
http://simple-evcorr.sourceforge.net/

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!