[Snort-sigs] To drop packets

Matt Kettler mkettler at ...189...
Mon Dec 8 10:33:06 EST 2003

At 01:03 PM 12/8/2003, Anna Patil wrote:
>Is there any option to drop perticular packet (like alert is for logging).

1) this belongs on snort-users, not snort-sigs.

2) by itself, snort is a passive sniffer that operates in parallel with the 
local TCP/IP stack. Thus, if snort "drops" a packet, nothing happens to the 
copy in the TCP/IP stack.

There are tools that cause snort's alerts to reconfigure a firewall, 
inline-snort is a linux-kernel specific patch to do this.

Snortsam works on multiple firewalls, even external ones (ie: serial 
connection to a PIX) but isn't truly realtime and will block a source of 
traffic a couple of milliseconds after the alert was triggered.

snort comes with flexresp, and flexresp2, which are attempts to kill an 
ongoing communication session by spoofing reset packets and ICMP errors. 
However it should be understood that this mechanism is not 100% reliable 
and should not be treated as if it were a firewall replacement.

More information about the Snort-sigs mailing list