[Snort-users] sending alerts by email / active response Win2K system [RMC-J7FLJI4]

ICB1981 at ...661... ICB1981 at ...661...
Tue Jan 28 07:42:04 EST 2003


I am not quite sure if it will work under w2000

i am using logcheck from www.psionic .com
with little chances (adding the strings form the classification config an using a third .ignore file
for the Active Attack section.

It should also work unter winnt
with some sort of unixtools installed (can't remember
the package name but it was free).

some sort of active response is really easy
without any firewalling 
a simple 
route delete <ip adress oft the attacker> 
should work in most cases. 
Works fine under linux and you have some time to update your firewall policy.
In my opinion this should be done manually.
The ip adress you get can be faked or shared by many users like (dhcp proxys) etc. 

harald
    





More information about the Snort-users mailing list