[Snort-users] IDS or IPS

Marcio Guerreiro marcio.guerreiro at ...16117...
Wed Apr 15 17:50:31 EDT 2015


Hi everyone

 

I am new to snort and I have a quick question..

 

I have installed snort as NDIS mode but I would like to know if is possible
to   reset TCP connection as the following document states. As far I
understand Snort would be able to generate the alerts for me, however if I
need to take some action I would have to manually resolve the problem or
some how implement snort as IPS ?

 

The document I am reading is about IDS in general.

 

http://www.sans.org/reading-room/whitepapers/detection/intrusion-detection-s
ystems-definition-challenges-343

 

If the sensors detect any malicious activity, it matches the malicious
packet against the 

attack signature database. In case it finds a match, the sensor reports the
malicious 

activity to the management console. The sensor can take different actions
based on 

how they are configured."For example, the sensor can reset the TCP
connection by sending a 

TCP FIN, modify the access control list on the gateway router or the
firewall 

or send an email notification to the administrator for appropriate action."

 

 

Thank you

 

Marcio Guerreiro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150415/5cfa70d7/attachment.html>


More information about the Snort-users mailing list