Re: Snortsam

[Frank Knobbe <fknobbe () knobbeits com>]

On Sun, 2003-06-01 at 00:41, Wilcoxen, Scott wrote:
> Has anyone successfully setup Snortsam?  I've patched my Snort sources,
> recompiled, compiled Snortsam itself and got the whole thing configured
> without too much trouble.  Now I've modified a few of my rules and am in
> the process of testing this out.  The problem I'm having is this.  I
> configure a rule to make use of Snortsam, and when I intentionally
> spring that rule it only follows through and blocks that IP about 10% of
> the time!!  It never unblocks the IP once it's been blocked unless I
> manually stop and start Snortsam.  I was thinking that possibly my
> machines weren't keeping up with everything going on, so I disabled all
> of the preprocessors in Snort.  

Snortsam doesn't make use of any preprocessors. It only blocks on the
rules where you specify it.

What firewall(s) are you trying to block on? Does it block but not
unblock on every IP? You say it only block 10% of the time...what
happens the other 90% of the time? (And are you sure those skips are
outside the repetitive block interval?) Are there any errors in the
Snortsam log file? 

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part