Snort mailing list archives
RE: Snort's Blocking Capability?
From: SRH-Lists <giermo () 333tech com>
Date: Fri, 28 Mar 2003 12:33:59 -0600
G'Day People,
G'Day
* As I understand, snort monitors packets as it reaches the interface, but can it actually *delete* an individual packet so that applications do not receive it?
Not natively, but see Hogwash[0]
And also: * When snort's flexresp plugin is used to send connection reset packages to source/destination IP, am I right in saying this doesn't actually stop the packet from reaching the receiving IP on our network (so it is not "blocked")?
Correct, but it should stop subsequent packets in the same tcp connection.
* Could a setup on the hacker's machine not simply ignore connection reset packets anyway?
They could, but the RST is sent to both ends of the session. If the "hacker" tried to continue the session, the target would say: "Huh?, this session is closed"
If I understand correctly, snort doesn't work low-level enough to actually "block" packets from doing what they would do? If so, are they any plugins or external applications that can work co-operatively with snort and stop packets from reaching applications on the host?
Again, see Hogwash[0]. It is an 'inline' modification that uses Snort to "scrub" packets. [0] http://hogwash.sourceforge.net/ ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort's Blocking Capability? Thop (Thomas Hesketh-Roberts) (Mar 28)
- Re: Snort's Blocking Capability? Erek Adams (Mar 28)
- Re: Snort's Blocking Capability? Jason Haar (Mar 30)
- <Possible follow-ups>
- RE: Snort's Blocking Capability? SRH-Lists (Mar 28)
- RE: Snort's Blocking Capability? Steve Halligan (Mar 28)
- Re: Snort's Blocking Capability? Erek Adams (Mar 28)