[Snort-users] Discard Packets

Frank Knobbe FKnobbe at ...649...
Thu Oct 26 19:02:49 EDT 2000

Hash: SHA1

Snort is an Intrusion Detection tool, not an Intrusion Prevention
tool. Even if you configure it to reset a connection, chances are the
packet(s) are already in the mail server. Since there is no
capture-store-check-n-forward in snort (like you would have with a
virus scanner running on top of your firewall), snort only sees the
packets passing by. If it detects a pattern, the packet is already
across the wire. By the time snort has snorted this out... uhm...
sorted out, logged its alert, and reset the connection, the 1-10
packets that make up the virus infected email are already in your
email server queue.

If you want to prevent packets from entering your network, use a
firewall. If you want to prevent virii from entering your system, use
virus scanner software. Snort is just not the right tool for that
(it's an excellent 'detection' system though).


- -----Original Message-----
From: Elton Ramos Carvalho [mailto:elton.carvalho at ...702...]
Sent: Thursday, October 26, 2000 12:50 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Discard Packets

       I`m a snort user and configure it to reset connections with
the cotent ".vbs", but it don't "block" the mails with it
content....I continue receiving the mail with the vbs file...the mail
server send the mail per 3 or 5 days(probably because snort reset the
connection) with the #$%*& vbs file...Can I use snort to discard the
packets with this content(editing the snort source code)??????Or
anybody has other idea to block or reject it????? 
Elton Ramos Carvalho 

Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.


More information about the Snort-users mailing list