[Snort-users] Snort Block Plugin.

CGhercoias at ...8619... CGhercoias at ...8619...
Wed May 26 10:37:13 EDT 2004


What if the attack (NMAP scan) comes from the same IP address with the
external interface of the firewall -- through the decoy function of
NMAP, or IP spoofing. How about ARP spoofing -- Cain and Abel software,
or ettercap?
How this piece of software deals with these scenarios?
Will this create a DOS on the firewall?

Thank you,
Catalin A. Ghercoias
WEB/Network Security Administrator 

Office Phone: +(518) 452-1242 Ext.7435
Fax: (518) 452-4768
website: http://www.fye.com 

The content of this communication is classified as Trans World
Entertainment Confidential and Proprietary Information. As such, it is
intended solely for the use of the individual or entity to whom it is
addressed and only others who are authorized to receive it. If you are
not one of those, you are hereby notified that any disclosure, copying,
distribution, or action in reliance on the contents of this information
is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to
this communication and then deleting it from your system. 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
akhenato at ...11860...
Sent: Wednesday, May 26, 2004 6:46 AM
To: Snort List
Subject: [Snort-users] Snort Block Plugin.

Hi, I want to upload a contrib software that integrates with snort.
The objetive of this project is the creation of a software
that can be used to control the IP traffic arriving to a
server exposed to internet throught a firewall and there
is an NIDS (snort) detecting attack patterns.
As the NIDS detect an attack pattern, a rule is fired that
end with the creation of a filter in the firewall that drop
the traffic from the source address suspected.
The NIDS and the firewall are not needed to run on the same
This software provides a server and a client applications that
integrates with snort to block any source IP address for a
specified time. The client must be run on the snort system and
is a snort plugin. The server must be installed (and running) in
a system acting as a firewall (where the netfilter rules are applied).
A rule must be configured in the snort rules files that fire
the plugin when the defined condition is reached.
I need some help to test and optimize this software, adding
features like encrypted communication between client and server,
and some others that can be practical for the project.

More information about the Snort-users mailing list