[Snort-devel] Where to do the stuff?
bmc at ...227...
Wed Jan 24 11:46:40 EST 2001
According to Todd Lewis:
> Ok, I want to use the following syntax:
> alert icmp any any -> any any (msg:"Misc. ICMP traffic";verdict:"discard";);
> The verdict will be one of "accept", "drop", or "reject", which
> will map to PA_PACKET_VERDICT_ACCEPT, PA_PACKET_VERDICT_DROP,
> PA_PACKET_VERDICT_REJECT. If no verdict is specified, then the rule
> will be set to PA_PACKET_VERDICT_NO_ACTION.
Is snort the place to do this? I would think the best place to put those
types of things would be on a firewall. You wouldn't want to put a verdict
on an ongoing session. Just use RESP or REACT. OF course, react needs some
work, but the idea is there.
More information about the Snort-devel