[Snort-users] third party utility to kill ...

Ronneil Camara ronneilc at ...4042...
Thu Jan 31 11:24:05 EST 2002


Hi Matt,

Granted. So, what's your approach then?

-> -----Original Message-----
-> From: Matt Kettler [mailto:mkettler at ...4108...]
-> Sent: Thursday, January 31, 2002 12:43 PM
-> To: Ronneil Camara; snort-users at lists.sourceforge.net
-> Subject: Re: [Snort-users] third party utility to kill ...
-> 
-> 
-> The snort FAQ describes why trying to invoke an external 
-> process from an 
-> IDS is a generally bad idea (hint: this creates a security 
-> hole that allows 
-> your IDS to be bypassed by causing it to waste so much time invoking 
-> processes it starts missing packets.).
-> 
-> Read the faq:
-> 
-> http://www.snort.org/docs/faq.html#5.9
-> 
-> And yes, the FAQ mentions a bit about the speed of this on 
-> windows, but 
-> it's not acceptably fast to do in *nix either.
-> 
-> At 04:18 PM 1/30/2002 -0600, Ronneil Camara wrote:
-> >I would like to kill a tcp connection other than making use 
-> of flexresp.
-> >I want to make use of tcpkill by Dugsong.
-> >
-> >Is there a way I can call this program once an alert, say 
-> web-iis cmd.exe,
-> >is sensed by snort, then snort is going to execute tcpkill 
-> -9 <target_ip>?
-> 
-> 




More information about the Snort-users mailing list