[Snort-sigs] Snort as IPS and correlation

Daniel Lopez danilogo1991 at ...2420...
Fri Apr 10 12:26:39 EDT 2015

I have the following question about snort:
I have snort configured to perform some tasks of active response,
like closing tcp sessions, and modifying Iptables's rules through snortsam.

I would like to know if it's possible make the system work following this

1- Snort receive a packet that matches with a rule [RULE A] (RULE A
includes blocking source address in iptables through snortsam)

2- Action for [RULE A] stands in "standby" until another rule [RULE B] is

3- Once [RULE B] is matched, then [RULE A] performs actions configured on

Is this possible?
How can I do it?
Is there any other way to perform this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150410/fa49a356/attachment.html>

More information about the Snort-sigs mailing list