[Snort-users] Snort dropping packages. How to ?

Jason security at ...5028...
Thu Oct 10 20:26:02 EDT 2002


Be very careful using these options. Especially with virus content.

In the case of mail, the sending server will continue to attempt to 
deliver the mail until the message expires. POP users could have the 
connection to the server closed and not be able to get any mail past 
that message.

In the case of an auto propogating virus you could end up creating a 
storm of traffic as the virus will keep sending and you will keep 
attempting to close.

The good with the bad. Like any tool, you have to know how to use it.

Alberto Gonzalez wrote:
> you might want to take a look at 'resp' and or 'react'.
> 
> React has the ability to implement flexible reactions for traffic that 
> matches a given snort rule. I guess the main function your looking for 
> is 'block' .
> 
> Check section 2.3.22 for Resp and section 2.3.24 for React in the "Snort 
> Users Manual".
> 
> hope it helps
> 
>    - Albert
> 
> armando at ...7138... wrote:
> 
>> Hi Guys,
>>
>> I'm with a doubt in snort, if someone can help me. ;)
>>
>> I have snort.conf using several rules. One of this files is
>> virus.rules, where i only have virus signatures. =]
>>
>> And this rules is working properly when a virus arrive (it detect
>> virus and log).
>>
>> But i like that the snort didn't log only, i like that snort log and
>> drop (delete) the package whith mismatch with a virus signature (based
>> on virus.rules). :))
>>
>> How to do it ??
>>
>> Some idea ??
>>
>> Thkz a lot.
>>
>> Best Regards.
>>
>> [ ]'s
>>





More information about the Snort-users mailing list