[Snort-users] third party utility to kill ...

Matt Kettler mkettler at ...4108...
Thu Jan 31 10:42:03 EST 2002


The snort FAQ describes why trying to invoke an external process from an 
IDS is a generally bad idea (hint: this creates a security hole that allows 
your IDS to be bypassed by causing it to waste so much time invoking 
processes it starts missing packets.).

Read the faq:

http://www.snort.org/docs/faq.html#5.9

And yes, the FAQ mentions a bit about the speed of this on windows, but 
it's not acceptably fast to do in *nix either.

At 04:18 PM 1/30/2002 -0600, Ronneil Camara wrote:
>I would like to kill a tcp connection other than making use of flexresp.
>I want to make use of tcpkill by Dugsong.
>
>Is there a way I can call this program once an alert, say web-iis cmd.exe,
>is sensed by snort, then snort is going to execute tcpkill -9 <target_ip>?





More information about the Snort-users mailing list