[Snort-sigs] RE : Snort Response. See guardian.pl

David Bouscasse bouscasse_david at ...174...
Wed Dec 12 01:33:01 EST 2001


MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

The guardian.pl (Antony Stevens) script (see
www.snort.org) does that : It read the output of the
alert file to block the ofending IP.

guardian.pl
...
open (ALERT, $alert_file) or die "open $alert_file:
$!\n";
@junk=<ALERT>;
# this is the same as a tail -f :)
for (;;) {
  sleep 1;
  if (seek(ALERT,0,1)){
...

To respond to a specific attack with a specific
action, a program could use the rules files.


>From: "Wiedenfeld, Scot R. (Sytex Contractor)"
        
><scot.wiedenfeld.sytex at ...215...>
>To: snort-sigs at lists.sourceforge.net
>Date: Tue, 11 Dec 2001 12:37:47 -0600
>Subject: [Snort-sigs] Snort Response
>
>        Does Snort have the capability to respond to
>an intrusion or anomaly
>by executing another program. e.g. finger, dig,
>traceroute, tcpdump 
>etc...



___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Courrier : http://courrier.yahoo.fr




More information about the Snort-sigs mailing list