[Snort-devel] Question about snort alerts

Lamont R. Peterson lamont at ...2434...
Wed May 11 10:36:32 EDT 2005


On Tuesday 10 May 2005 12:34pm, Geries Handal wrote:
> Dear snort developers,
>
> I like to know if there is any way to read real time alerts from snort. The
> purpose is because i want to try to write a module that will response to
> some attacks in certain way... For example if i detect a portscan, or a
> worm, etc. i want to send a command to a firewall or cisco router and block
> the attack. I was thinking of using unix domain socket option of snort, but
> i don't know if its the right way to go. Maybe you can help me giving me
> some documentation, tips, reference, etc, anything... tell me how can i
> access the socket using java, c/c++..  I don't want to use any plugins... i
> want to code it my self... directly accessing the socket.. thanks

As Raju pointed out, you are looking for an IPS (Intrusion Prevention System).  
Check the resources mentioned in Raju's response.

Snort already has the capability to "actively" react.  Use the "resp" & 
"react" rule options.

However, as we point out in our GL510 course (where we spend some time 
covering snort setup, configuration, management and rule writing), IPS can 
actually introduce complicated security problems or even be a threat in 
itself.  We have a lab exercise where students create snort rules that 
"activate" firewall rules and demonstrate how an attacker can use that to 
mount DoS attacks very easily.

The moral of the story is:  be very, very careful with IPS.  There is a huge 
marketing push going on in the commercial IDS world for IPS, but I haven't 
seen any of them that make solving such problems any easier or even possible.  
Granted, I have not spent much time examining those products, either.  
Perhaps someone else would care to comment.

HTH.
-- 
Lamont R. Peterson <lamont at ...2434...>
Senior Instructor
Guru Labs, L.C. http://www.GuruLabs.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20050511/9313e226/attachment.sig>


More information about the Snort-devel mailing list