[Snort-users] Blocking Attack

Neil Dickey neil at ...1633...
Tue Apr 17 12:27:04 EDT 2001


"Michel A. S. Pereira - KIDMumU[InTrance]" <michelcultivo at ...1836...> wrote:

>    Hi, I wanna to known If there's a plugin for snort to block attacks,
>or deny traffic for a specified time.

There is a capability in Snort to respond to packets, but you have to run
the 'configure' program with the '--enable-flexresp' switch set before you
compile the program.  This feature allows Snort to respond to packets which
meet certain criteria, e.g. they come from a certain IP or have thus-and-such
content, by sending packets intended to shut down the traffic.

In my experience, this feature works but does not always have the desired
effect.  Depending on the nature of the traffic, you can trigger a packet
storm which will pack the filesystem containing your logs in very short order.
Obviously, depending on how your system is configured, that can cause you
some serious problems.

If you really want to block attacks, I suggest you investigate one of the
packet filters which are available -- such as IPFilter.  That's what they
are designed for.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list