[Snort-users] HELP: Configuring IPTABLES on SnortSam blocking agent

Rachmat Hidayat Al-Anshar rachmat_hidayat_02 at ...131...
Sun Nov 18 03:19:15 EST 2007


Hi again guys, 

I have a little confused with the Fabrizio's statement 
on how we set the IPTABLES to make the snortsam agent
effectively block the bad ip address that have been delivered
by snortsam output plugin on snort machine.

BLOCK COMMAND:
/sbin/iptables -I FORWARD -i %s  -s %s -j DROP
/sbin/iptables -I INPUT -i %s  -s %s -j DROP

UNBLOCK COMMAND:
/sbin/iptables -D FORWARD -i %s  -s %s -j DROP
/sbin/iptables -D INPUT -i %s  -s %s -j DROP


note:
-i  = interface to block the bad ip address
-s = remote source ip address to be blocked

There is no problem at all with "-i" switch, the thing was bothering me
is the "-s" switch. How can I issue the bad ip address? 
in fact the snortsam outplugin on snort machine just send the "src" contains 
the bad ip address that was detected by snort. We talking about the random 
and dynamic ip address don't we?

so, what do you think guys?!?! what should I do?!




      ____________________________________________________________________________________
Be a better sports nut!  Let your teams follow you 
with Yahoo Mobile. Try it now.  http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20071118/fe37f8a3/attachment.html>


More information about the Snort-users mailing list