[Snort-sigs] To drop packets
mkettler at ...189...
Mon Dec 8 10:33:06 EST 2003
At 01:03 PM 12/8/2003, Anna Patil wrote:
>Is there any option to drop perticular packet (like alert is for logging).
1) this belongs on snort-users, not snort-sigs.
2) by itself, snort is a passive sniffer that operates in parallel with the
local TCP/IP stack. Thus, if snort "drops" a packet, nothing happens to the
copy in the TCP/IP stack.
There are tools that cause snort's alerts to reconfigure a firewall,
inline-snort is a linux-kernel specific patch to do this.
Snortsam works on multiple firewalls, even external ones (ie: serial
connection to a PIX) but isn't truly realtime and will block a source of
traffic a couple of milliseconds after the alert was triggered.
snort comes with flexresp, and flexresp2, which are attempts to kill an
ongoing communication session by spoofing reset packets and ICMP errors.
However it should be understood that this mechanism is not 100% reliable
and should not be treated as if it were a firewall replacement.
More information about the Snort-sigs