[Snort-users] Block Conncection
albertg at ...7149...
Sat Dec 7 00:03:02 EST 2002
Well, the Resp keyword doesn't "block" connections, it has the
ability to send rst packets and or ICMP error messages. I
don't consider this blocking(IE: dropping the packet, no response). The
manual illustrates 2 examples of using the Resp keyword
within a rule. You can choose multpiel modifiers at the same time. To
block connections (some might agree that this is bad) I
suggest you either employ SnortSam and or Hogwash. I've played
with the Resp keyword, not much.
What was the result you got from your tests? The very few ones I did
actually got some nice results. I'm a fan of hybrid solutions
(dont want to get into the IPS stuff.) Hopefully the technology will
grow from here. Hope my 2 cents help you out!
 - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.22
 - http://www.snortsam.net
 - http://hogwash.sourceforge.net
Atul Shrivastava wrote:
> *Can anyone tell me how can we block certain connection, let sat that
> I want to block every connection for telnet that uses username "root"*
> *Can anybody give me the rule. This will illustrate me the use of
> "react" keyword. I know that this keywork works with three modes: 1.
> Block the source 2. Block the Destination 3. Block both of them.*
> *I have also used them but not get the desired result. Please tell me
> the required and efficient rule if somebody has tested it fully.*
> *Thnaks in advance.*
> *Regards and have a nice day,*
> * Atul Shrivastava*
The secret to success is to start from scratch and keep on scratching.
More information about the Snort-users