[Snort-users] Flexible response

Paul Enlund paul at ...3515...
Wed Sep 19 08:59:05 EDT 2001


I am testing an extension to sp_respond.c which allows a new response directive
"block_peer" to be specified.

On being called from within web-iis rules which catch this latest CR type 
exploit
snort forks a background script. This script is passed the peer's IP 
address. In my
case I am simply blocking the peers access to port 80. sleeping for 20 seconds
then clearing the block.

The effect is to greatly reduce the IP traffic and server logs.

Anybody interested in the changes to sp_respond.c is welcome if they
drop me a line.

PE
--
+------------------------------------------------------------------+
|  UAC Technology:  OS9/OS9000 software services & support         |
|  Information:     www.uactech.co.uk                              |
|  Email:           paul at ...3515...                             |
|  Telephone:       +44 (0)191 4565970 Fax +44 (0) 8700549430      |
+------------------------------------------------------------------+









More information about the Snort-users mailing list