[Snort-users] Question on snort redirecting

Owen McCusker mccusker at ...10962...
Wed Feb 4 13:12:17 EST 2004

Check out the Unix domain socket output.
Setup your own listener to receive data.
Then you can mirror alerts from the Snort IDS.
There is also some opensorce proxy software out there
to facilitate forwarding.

But, since Snort is passive, that is interprets
all traffic, and is not like an "active" firewall,
that uses proxys to manage connections that can
effect routing, it cannot "reroute" the traffic. It can only
"mirror" certain types of data about the traffic that have been
detected by the system using various rules. The data
can be the traffic itself as represented by tcpdump format.,
depending on how you have the output, plugins
configure (tcpdump - binary data).

There may be projects out there that combine routing
and IDS. I think the baitnswitch goes down that road from t
the previous post.

If you start forwarding traffic associated with an attack
you may also want to check out the threshold capabilities
in Snort. You may indirectly create a DOS on yourself
if there is a lot of data from through your "forwarding"


>Hi All,
>    Can snort redirect packet or traffic to other
>  computer?
>My case is:
>Attacker->linux box(with snort)----Internal(computer A
>and B)
>    Suppose an attacker is to attack my linux box. Can
>  I forward the attacker's traffic to computer A in my
>  Intarnet? At the same time, normal traffic to
>  computer B?
>    As you know, I don't know the attacker's IP before
>  attack. How can I redirect it? Do I need to read
>  from the snort database? Can snort know how to
>redirect? or Do I need to write some scripts?
>    Many Thanks!
>  Best,
>  Fred
>òQñüóÈ“þ  èÓêSòAˆ¥
>The SF.Net email is sponsored by EclipseCon 2004
>Premiere Conference on Open Tools Development and Integration
>See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040204/07f20295/attachment.html>

More information about the Snort-users mailing list