[Snort-users] Thoughts on Snort-flex rule?
erek at ...950...
Sun Jan 26 10:57:04 EST 2003
On Sun, 26 Jan 2003, Rich Adamson wrote:
> 1. Is there a way to configure snort (eg, rules or other options) to track
> portscans, web application attacks, etc, from a single source IP address,
> and flex-respond to "all" future activity from that source for the next
> five minutes (or some other preconfigured time frame) regardless of the
> next target IP from that source?
> 2. Are there any other inexpensive hardware/software solutions (besides
> commercial firewalls, in-line linux-type boxes, etc) that would act as a
> gateway of sort, that snort could control to essentially create the
> reactive function noted in #1, above?
> I'm quite familiar with the delay issues of reacting to such events, and
> the risk associated with not stopping the initial scans, etc.
Snort-inline could be a GIDS for you. It's not going to have the
timeframe setup that you want, but it would be able to drop them before
entering your net.
> 3. Anyone tried to create a tcl/snmp/other mechanism to dynamically
> modify a Cisco router access control list to accomplish the above?
Guardian  and SnortSam .
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users