[Snort-users] Block

Matt Kettler mkettler at ...4108...
Mon Feb 16 14:09:10 EST 2004


At 11:16 AM 2/16/2004, 
Israel_Guadalupe_Lopez_Mascorro../Administracion/Jalisco at ...11223... wrote:
>Hi I would like to know if with snort or some plug I can block attacks or
>virus

For viruses, I'd really recomend NOT using snort to control these... 
install a copy of clamav or some other virus scanner on your SMTP gateway 
and make all mail go through it.

For attacks, there are 3 different tools that expand snort to have blocking 
capability., with different limitations and degrees of capability:

1) flexresp
         -not 100% reliable, but comes with snort, all you need is 
--with-flexresp for your config. Relies on attempting to desynchronize or 
reset TCP connections, or using ICMP error messages to make one or both 
systems give up on the conversation.

2) snort-inline
         - linux kernel specific at the moment, but does true kernel-level 
firewall interaction as packets arrive.

3) snortsam
         - supports a wide variety of firewalls, but acts slightly after 
the fact. This means the packet that contained the trigger gets passed, but 
subsequent packets will get blocked, limiting the impact of the exposure.





More information about the Snort-users mailing list