[Snort-devel] Where to do the stuff?

Brian bmc at ...227...
Wed Jan 24 11:46:40 EST 2001


According to Todd Lewis:
> Ok, I want to use the following syntax:
> 
>   alert icmp any any -> any any (msg:"Misc. ICMP traffic";verdict:"discard";);
> 
> The verdict will be one of "accept", "drop", or "reject", which
> will map to PA_PACKET_VERDICT_ACCEPT, PA_PACKET_VERDICT_DROP,
> PA_PACKET_VERDICT_REJECT.  If no verdict is specified, then the rule
> will be set to PA_PACKET_VERDICT_NO_ACTION.

Is snort the place to do this?  I would think the best place to put those 
types of things would be  on a firewall.  You wouldn't want to put a verdict
on an ongoing session.   Just use RESP or REACT.  OF course, react needs some
work, but the idea is there.  

-brian




More information about the Snort-devel mailing list