[Snort-users] Bad Traffic, Port

Martin Bündgens mb at ...10481...
Wed Dec 24 17:28:01 EST 2003


----- Original Message -----
From: "Josh Berry" <josh.berry at ...10221...>
To: "Martin Bündgens" <mb at ...10481...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, December 24, 2003 11:47 PM
Subject: Re: [Snort-users] Bad Traffic, Port


> Are you running Snort on the IPTables machine?  If so even though you are
> blocking port 0 traffic, I believe that Snort can still see the traffic
> that is coming at the box.  So, you are blocking port 0 but Snort reads
> the traffic off of libpcap before it is denied by IPTables.

That`s right.

Anyway, i thought about a solution. Is it possible to add an IPTables
command to a Snort Rule (drop all packets from the ip, which break the Snort
rule) ? That would do it, i think. Since it would stop the constant
flooding.

Regards,
Marti Bündgens.





More information about the Snort-users mailing list