[Snort-sigs] Snort as IPS and correlation

Daniel Lopez danilogo1991 at ...2420...
Fri Apr 10 12:26:39 EDT 2015


Hi
I have the following question about snort:
I have snort configured to perform some tasks of active response,
like closing tcp sessions, and modifying Iptables's rules through snortsam.

I would like to know if it's possible make the system work following this
steps:

1- Snort receive a packet that matches with a rule [RULE A] (RULE A
includes blocking source address in iptables through snortsam)

2- Action for [RULE A] stands in "standby" until another rule [RULE B] is
matched

3- Once [RULE B] is matched, then [RULE A] performs actions configured on
it.

Is this possible?
How can I do it?
Is there any other way to perform this?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150410/fa49a356/attachment.html>


More information about the Snort-sigs mailing list