mkettler at ...4108...
Tue Nov 26 10:57:02 EST 2002
Snort itself doesn't support this, but there are add on tools that do. For
You can also use logwatch to monitor your snort log and kick of shell
scripts to do whatever you want..
IMNSHO however, automated reconfiguration of your firewall is fraught with
1) If you do automated shuning of IPs based on triggering of snort
rules I can now DoS you off the net by spoofing attacks from all the root
DNS server IP's.. now you've blocked them and won't be able to resolve DNS
until you go to your firewall and remove the entries. I can add them back
faster than you can remove them until you turn this feature of your snort
2) since your firewall can be configured automatically, this means
the authentication mechanism to snort is stored in your snort box. If I can
penetrate your snort box I can now reconfigure your firewall any way I want
to suit my needs. This effectively widens your security risks unless you're
positive the snort box cannot access the internet.
At 09:48 AM 11/26/2002 -0800, Mike Koponick wrote:
>Does SNORT support adding commands to firewalls? As an example, if I
>received a BAD packet, I would like to add a filter based on that
>information to my firewall. I understand that SNORT cannot decide which
>packets are bad, but I would think we would be able to trace an issue once
>the command has been executed.
>Thanks in advance,
More information about the Snort-users