[Snort-users] Thoughts on Snort-flex rule?

Erek Adams erek at ...950...
Sun Jan 26 10:57:04 EST 2003


On Sun, 26 Jan 2003, Rich Adamson wrote:

> 1. Is there a way to configure snort (eg, rules or other options) to track
> portscans, web application attacks, etc, from a single source IP address,
> and flex-respond to "all" future activity from that source for the next
> five minutes (or some other preconfigured time frame) regardless of the
> next target IP from that source?

Nope.

[...snip...]

> 2. Are there any other inexpensive hardware/software solutions (besides
> commercial firewalls, in-line linux-type boxes, etc) that would act as a
> gateway of sort, that snort could control to essentially create the
> reactive function noted in #1, above?
>
> I'm quite familiar with the delay issues of reacting to such events, and
> the risk associated with not stopping the initial scans, etc.

Snort-inline could be a GIDS for you.  It's not going to have the
timeframe setup that you want, but it would be able to drop them before
entering your net.

> 3. Anyone tried to create a tcl/snmp/other mechanism to dynamically
> modify a Cisco router access control list to accomplish the above?

Guardian [0] and SnortSam [1].

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.chaotic.org/guardian/
[1]	http://www.snortsam.net/




More information about the Snort-users mailing list