[Snort-users] Dropping Connections

Chris Green cmg at ...671...
Fri Mar 23 13:20:35 EST 2001


Joe Barr <warthawg at ...1645...> writes:

> I was a little surprised not to find rules which reset
> connections in the database, or perhaps even block the
> attacking IP address ala portsentry.
> 
> Is resetting or dropping a connection not considered to
> be the best line of action during an attack? 

Active measures are not something in the default system because the
default is that you will get noise and you will learn how to trim the
alerts to what matters to you.  Sending RSTs or whatever in the
default ruleset would change the default snort install from something
noisy to something impeding your network.

I believe There will be patches in the future to allow snort to act as
a smart firewall and perhaps have its own set of rules but that is
well into the future. I forgot what the fancy name for this kinda
system is. 
-- 
Chris Green <cmg at ...671...>




More information about the Snort-users mailing list