[Snort-users] (no subject)

Chris Green cmg at ...671...
Fri Nov 23 04:16:01 EST 2001


"Don Dowling" <dowling_denis at ...125...> writes:
>
> Hi
>
> I'm looking at snort as a solution to a problem I've been given.
> Basically, we have a PCAnywhere machine on our corporate LAN. We want to
> allow an external company to access this machine for software updates.
> Obviously this is a security risk so we are looking at solutions that
> will eliminate this risk. One is to configure a linux firewall with
> scripts to disable all traffic (except PCAnywhere) using iptables when
> PCAnywhere traffic is detected and to enable all other traffic when no
> PCAnywhere traffic is detected. 

Why do you allow everything on macvhines without PCAnywhere?

> I'm looking at snort as the means of detecting the traffic but my
> question is can I configure snort to execute a script that will run
> iptables to disable all other traffic?

You should write a swatch script to perform the
http://oit.ucsb.edu/~eta/swatch/ reconfiguration for the "detected
traffic case".

I think the correct solution though would be to have your admins VPN
to a local machine and then use PC Anywhere to admin.
-- 
Chris Green <cmg at ...671...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-users mailing list