[Snort-users] Block Conncection

Alberto Gonzalez albertg at ...7149...
Sat Dec 7 00:03:02 EST 2002

    Well, the Resp[1] keyword doesn't "block" connections, it has the 
ability to send rst packets and or ICMP error messages. I
don't consider this blocking(IE: dropping the packet, no response). The 
manual illustrates 2 examples of using the Resp keyword
within a rule. You can choose multpiel modifiers at the same time. To 
block connections (some might agree that this is bad) I
suggest you either employ SnortSam[2] and or Hogwash[2]. I've played 
with the Resp keyword, not much.

    What was the result you got from your tests? The very few ones I did 
actually got some nice results. I'm a fan of hybrid solutions
(dont want to get into the IPS stuff.) Hopefully the technology will 
grow from here. Hope my 2 cents help you out!


    - Alberto

[1] - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.22
[2] - http://www.snortsam.net
[3] - http://hogwash.sourceforge.net

Atul Shrivastava wrote:

> *Hi,*
> *Can anyone tell me how can we block certain connection, let sat that 
> I want to block every connection for telnet that uses username "root"*
> *Can anybody give me the rule. This will illustrate me the use of 
> "react" keyword. I know that this keywork works with three modes: 1. 
> Block the source   2. Block the Destination   3. Block both of them.*
> *I have also used them but not get the desired result. Please tell me 
> the required and efficient rule if somebody has tested it fully.*
> *Thnaks in advance.*
> *Regards and have a nice day,*
> *                                         Atul Shrivastava*

The secret to success is to start from scratch and keep on scratching.

More information about the Snort-users mailing list