Snort mailing list archives
Re: Thoughts on Snort-flex rule?
From: Erek Adams <erek () snort org>
Date: Sun, 26 Jan 2003 13:50:02 -0500 (EST)
On Sun, 26 Jan 2003, Rich Adamson wrote:
1. Is there a way to configure snort (eg, rules or other options) to track portscans, web application attacks, etc, from a single source IP address, and flex-respond to "all" future activity from that source for the next five minutes (or some other preconfigured time frame) regardless of the next target IP from that source?
Nope. [...snip...]
2. Are there any other inexpensive hardware/software solutions (besides commercial firewalls, in-line linux-type boxes, etc) that would act as a gateway of sort, that snort could control to essentially create the reactive function noted in #1, above? I'm quite familiar with the delay issues of reacting to such events, and the risk associated with not stopping the initial scans, etc.
Snort-inline could be a GIDS for you. It's not going to have the timeframe setup that you want, but it would be able to drop them before entering your net.
3. Anyone tried to create a tcl/snmp/other mechanism to dynamically modify a Cisco router access control list to accomplish the above?
Guardian [0] and SnortSam [1]. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.chaotic.org/guardian/ [1] http://www.snortsam.net/ ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Thoughts on Snort-flex rule? Rich Adamson (Jan 26)
- Re: Thoughts on Snort-flex rule? Erek Adams (Jan 26)
- SNMP - SNORT Mike Koponick (Jan 26)
- RH 8.0 & SNMP Mike Koponick (Jan 26)
- Rule help Gordon Cunningham (Jan 27)
- Re: Rule help Erick Mechler (Jan 27)
- RE: Rule help Gordon Cunningham (Jan 27)
- Re: Rule help Erek Adams (Jan 27)
- SNMP - SNORT Mike Koponick (Jan 26)
- Re: Thoughts on Snort-flex rule? Erek Adams (Jan 26)