[Snort-users] SnortSam Block on all snort/barnyard2 alerts by default

Robert Z robrob2626 at ...131...
Sun Jul 24 17:21:16 EDT 2011


Is there a way to block all snort/barnyard2 alerts by default with snortsam plugin patch.

If not how hard would it be to add such a option to the snortsam patch ?

The reason I am asking is that managing "sid-block.map" file with over 21000 sids seems overly complex.

A good solution would be to;

1. add an option like so: "output alert_fwsam: 127.0.0.1:898/mypassword blockoption:src,15min"
    All snort/barnyard2 alerts would be blocked by default for 15 min by source.


2. If  "sid-block.map" is detected the default would be overridden by sid.

3. If rulefile.rules has a "fwsam: src, 5 minutes" option that would override deafult, sid-block.map.

4. If there is a override sid in snortsam.conf that would override the "sid-block.map" file, default and rulefile.rules option.

The point of all this would be to minimize the amount of sid block times we would have to track on every rule database update.


I would like to hear your thoughts on this.
Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110724/20059c0c/attachment.html>


More information about the Snort-users mailing list