[Snort-users] IDS or IPS

Al Lewis (allewi) allewi at ...589...
Wed Apr 15 20:56:58 EDT 2015


Hello Marcio,

Please see the section on active response: http://manual.snort.org/node26.html



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Marcio Guerreiro [mailto:marcio.guerreiro at ...16117...]
Sent: Wednesday, April 15, 2015 5:51 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] IDS or IPS

Hi everyone

I am new to snort and I have a quick question..

I have installed snort as NDIS mode but I would like to know if is possible to   reset TCP connection as the following document states. As far I understand Snort would be able to generate the alerts for me, however if I need to take some action I would have to manually resolve the problem or some how implement snort as IPS ?

The document I am reading is about IDS in general...

http://www.sans.org/reading-room/whitepapers/detection/intrusion-detection-systems-definition-challenges-343

If the sensors detect any malicious activity, it matches the malicious packet against the
attack signature database. In case it finds a match, the sensor reports the malicious
activity to the management console. The sensor can take different actions based on
how they are configured."For example, the sensor can reset the TCP connection by sending a
TCP FIN, modify the access control list on the gateway router or the firewall
or send an email notification to the administrator for appropriate action."


Thank you

Marcio Guerreiro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150416/6ec932d6/attachment.html>


More information about the Snort-users mailing list