[Snort-users] Dropping Connections

agetchel at ...1525... agetchel at ...1525...
Fri Mar 23 13:28:31 EST 2001

	I haven't seen or heard of one yet.  I'm getting the info from the
portscan pre-processor.  I'll throw a sniffer on a wire and see if there's
any kind of uniqueness to this scan, then write a rule to catch it.  I'll
let you all know what I find.


Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...1525...
Web     http://www.kde.state.ky.us/

> -----Original Message-----
> From: Chris Green [mailto:cmg at ...671...]
> Sent: Friday, March 23, 2001 1:21 PM
> To: Joe Barr
> Cc: Snort Users
> Subject: Re: [Snort-users] Dropping Connections
> Joe Barr <warthawg at ...1645...> writes:
> > I was a little surprised not to find rules which reset
> > connections in the database, or perhaps even block the
> > attacking IP address ala portsentry.
> > 
> > Is resetting or dropping a connection not considered to
> > be the best line of action during an attack? 
> Active measures are not something in the default system because the
> default is that you will get noise and you will learn how to trim the
> alerts to what matters to you.  Sending RSTs or whatever in the
> default ruleset would change the default snort install from something
> noisy to something impeding your network.
> I believe There will be patches in the future to allow snort to act as
> a smart firewall and perhaps have its own set of rules but that is
> well into the future. I forgot what the fancy name for this kinda
> system is. 
> -- 
> Chris Green <cmg at ...671...>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list