[Snort-users] snort block

James Riden j.riden at ...11179...
Tue Nov 30 18:14:04 EST 2004


"reynald" <rtm at ...10097...> writes:

>    hello guys,
>
>
>
>    Can somebody tell me if it's possible to have snort block a
>    host/s when a specific rule alerted
>
>    10 times?

Yes :)

You can either use snort-inline for 'true' blocking, or you can use
flexresp2 which simply sends fake TCP RSTs to tear the connection
down, or I think there are other plugins which will add firewall rules
(e.g. for iptables or Cisco PIXs). Or you could hack up a custom perl
script to parse /var/log/snort/alert and take whatever action you like
when a particular IP address has triggered a particular rule M times
in N minutes.

I used the latter technique (with portscan.log) in a script which
would go and clobber Blaster/Welchia/Sasser infected hosts after so
many portscan alerts.

cheers,
 Jamie
-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-users mailing list