[Snort-users] snort block
j.riden at ...11179...
Tue Nov 30 18:14:04 EST 2004
"reynald" <rtm at ...10097...> writes:
> hello guys,
> Can somebody tell me if it's possible to have snort block a
> host/s when a specific rule alerted
> 10 times?
You can either use snort-inline for 'true' blocking, or you can use
flexresp2 which simply sends fake TCP RSTs to tear the connection
down, or I think there are other plugins which will add firewall rules
(e.g. for iptables or Cisco PIXs). Or you could hack up a custom perl
script to parse /var/log/snort/alert and take whatever action you like
when a particular IP address has triggered a particular rule M times
in N minutes.
I used the latter technique (with portscan.log) in a script which
would go and clobber Blaster/Welchia/Sasser infected hosts after so
many portscan alerts.
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
More information about the Snort-users