[Snort-sigs] Re: snort v1.9 and iptables

Russell Fulton r.fulton at ...575...
Thu Jan 2 01:44:03 EST 2003

On Thu, 2003-01-02 at 15:08, Roanne Tang wrote:
> Maybe I should rephrase my question.
> Does snort able to replace bits in an attacked packet such that its 
> payload becomes harmless?

No. snort is normally a passive device (but see below)

> If so, are there any documentation I could refer to ? In particular 
> snort's integration with firewall.

you can get snort to 'do things' (like send RST on certain alerts) you
need to be very careful with this because many of the alerts are false
+ve so unless you are very certain of the rule you may end up killing
legitimate sessions.

Another thing you can do is postprocess the alerts and perform actions
(like blocking on FW) but this has same caveats as above.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the Snort-sigs mailing list