[Snort-devel] Question about snort alerts
Lamont R. Peterson
lamont at ...2434...
Wed May 11 10:36:32 EDT 2005
On Tuesday 10 May 2005 12:34pm, Geries Handal wrote:
> Dear snort developers,
> I like to know if there is any way to read real time alerts from snort. The
> purpose is because i want to try to write a module that will response to
> some attacks in certain way... For example if i detect a portscan, or a
> worm, etc. i want to send a command to a firewall or cisco router and block
> the attack. I was thinking of using unix domain socket option of snort, but
> i don't know if its the right way to go. Maybe you can help me giving me
> some documentation, tips, reference, etc, anything... tell me how can i
> access the socket using java, c/c++.. I don't want to use any plugins... i
> want to code it my self... directly accessing the socket.. thanks
As Raju pointed out, you are looking for an IPS (Intrusion Prevention System).
Check the resources mentioned in Raju's response.
Snort already has the capability to "actively" react. Use the "resp" &
"react" rule options.
However, as we point out in our GL510 course (where we spend some time
covering snort setup, configuration, management and rule writing), IPS can
actually introduce complicated security problems or even be a threat in
itself. We have a lab exercise where students create snort rules that
"activate" firewall rules and demonstrate how an attacker can use that to
mount DoS attacks very easily.
The moral of the story is: be very, very careful with IPS. There is a huge
marketing push going on in the commercial IDS world for IPS, but I haven't
seen any of them that make solving such problems any easier or even possible.
Granted, I have not spent much time examining those products, either.
Perhaps someone else would care to comment.
Lamont R. Peterson <lamont at ...2434...>
Guru Labs, L.C. http://www.GuruLabs.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-devel