[Snort-sigs] Snort as IPS and correlation
jlay at ...3266...
Fri Apr 10 12:51:45 EDT 2015
On 2015-04-10 10:26 AM, Daniel Lopez wrote:
> I have the
following question about snort:
> I have snort configured to perform
some tasks of active response,
> like closing tcp sessions, and
modifying Iptables's rules through snortsam.
> I would like to know if
it's possible make the system work following this steps:
> 1- Snort
receive a packet that matches with a rule [RULE A] (RULE A includes
blocking source address in iptables through snortsam)
> 2- Action for
[RULE A] stands in "standby" until another rule [RULE B] is matched
3- Once [RULE B] is matched, then [RULE A] performs actions configured
> Is this possible?
> How can I do it?
> Is there any other
way to perform this?
I use Simple Event Correlator for things
Caveat is that
you'll have to have snort logging to a flat file (I do to both a fast
file and syslog). Look at the pdf's linked on the page and pay special
attention to the types...you can totally have a rule that says "Do
something when rule A hits, and then if rule B hits within 10 minutes do
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs