[Snort-users] Can snort add a rule to iptables?
mkettler at ...4108...
Wed Apr 30 10:31:05 EDT 2003
At 09:30 AM 4/30/2003 -0400, Eduardo Faria wrote:
>Hi friends, I am a new one at SNORT world. I read the official
>manual and I have one doubt. Can SNORT match an attack and add
>some rule to iptables , for exemple to drop some ip range of
Snort itself doesn't do such things, however several add-on packages do
this. Snortsam, inline-snort, and hogwash are good examples.
Note that the state of hogwash documentation isn't very good at this time,
so unless you can get enough docs to fully understand how hogwash works
(hint: if you enable forwarding at the kernel level you WILL compromise its
firewall) don't use that one. It is very easy to screw up since it works as
a "second router" and doesn't interact with iptables or the kernel's own
routing (which will continue to run regardless of what hogwash does).
Snortsam seems pretty well documented, however the documentation might
mislead you to believe that the use of encryption is done in a manner which
provides authentication and integrity of command packets between the two
machines it uses. It doesn't (They're using encryption with no MAC of any
sort, not even a CRC). Other than that minor discrepancy, it seems to be a
fine product, just make sure the wire between the two boxes is a secure
network, or is through a separate form of secure tunnel.
I've not looked closely at inline-snort, so I can't comment on how well
documented it is or isn't.
More information about the Snort-users