Using snortsam on preprocessor rules

[Berkay Koyutürk <berkay.koyuturk () labrisnetworks com>]

I am using snortsam to block IP addresses. I can't use inline mode and 
nfqueue as it considerably decreases network traffic performance.

Currently I am trying to detect TCP protocol anomalies and block the 
sources. I am using the stream preprocessor for this. But the problem is 
that snort generates alerts for these anomalies but can't block them 
using snortsam.

This rule generates the alerts (but not with the message "MY ALERT 
MESSAGE", but with the message on gen-msg.map)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "MY ALERT MESSAGE"; 
gid: 129; sid: 2;  metadata: rule-type preproc)

When I add fwsam to the rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "MY ALERT MESSAGE"; 
gid: 129; sid: 2;  metadata: rule-type preproc; fwsam:src, 10 seconds;)

Snort gives the following error when launching:
Preprocessor and decoder rules do not support detection options: fwsam.

As I said in the beginning using snort in inline mode is not an option 
for me because of serious network performance impact. So how can I block 
these alerts generated by preprocessors using snortsam?

Thanks.
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!