[Snort-sigs] Snort as IPS and correlation

James Lay jlay at ...3266...
Fri Apr 10 12:51:45 EDT 2015


On 2015-04-10 10:26 AM, Daniel Lopez wrote: 

> Hi
> I have the
following question about snort:
> I have snort configured to perform
some tasks of active response,
> like closing tcp sessions, and
modifying Iptables's rules through snortsam. 
> I would like to know if
it's possible make the system work following this steps:
> 1- Snort
receive a packet that matches with a rule [RULE A] (RULE A includes
blocking source address in iptables through snortsam)
> 2- Action for
[RULE A] stands in "standby" until another rule [RULE B] is matched
3- Once [RULE B] is matched, then [RULE A] performs actions configured
on it.
> Is this possible?
> How can I do it? 
> Is there any other
way to perform this?
> Thanks

I use Simple Event Correlator for things
like this: 

http://simple-evcorr.sourceforge.net/ [1] 

Caveat is that
you'll have to have snort logging to a flat file (I do to both a fast
file and syslog). Look at the pdf's linked on the page and pay special
attention to the types...you can totally have a rule that says "Do
something when rule A hits, and then if rule B hits within 10 minutes do
something else". 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150410/d7967eb7/attachment.html>

More information about the Snort-sigs mailing list