[Snort-users] SnortSam Block on all snort/barnyard2 alerts by default
robrob2626 at ...131...
Sun Jul 24 17:21:16 EDT 2011
Is there a way to block all snort/barnyard2 alerts by default with snortsam plugin patch.
If not how hard would it be to add such a option to the snortsam patch ?
The reason I am asking is that managing "sid-block.map" file with over 21000 sids seems overly complex.
A good solution would be to;
1. add an option like so: "output alert_fwsam: 127.0.0.1:898/mypassword blockoption:src,15min"
All snort/barnyard2 alerts would be blocked by default for 15 min by source.
2. If "sid-block.map" is detected the default would be overridden by sid.
3. If rulefile.rules has a "fwsam: src, 5 minutes" option that would override deafult, sid-block.map.
4. If there is a override sid in snortsam.conf that would override the "sid-block.map" file, default and rulefile.rules option.
The point of all this would be to minimize the amount of sid block times we would have to track on every rule database update.
I would like to hear your thoughts on this.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users