Snort mailing list archives
Re: Snort inline timeout
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 30 Jul 2009 08:31:50 -0400
Your second paragraph is correct. The packets matching the rule will be dropped, the offending IP can still open a connection. To block them longer, you will need something like SnortSAM or a commercial product to enforce the block at the firewall. J On Wed, Jul 29, 2009 at 9:35 PM, <guerrilha () gmail com> wrote:
Okay, lets get more specific... suppose i have snort compiled with --enable-inline on a host. If someone starts an ssh bruteforce attack and my ips recognizes it via a drop rule the offending address will be blocked, right? Is this ip address going to stay blocked ? or only the packets matched by the rule will be dropped and the offending ip can still open a connection? 2009/7/29 Will Metcalf <william.metcalf () gmail com>:hmmm I'm not sure what you mean, by default drops are done on a per packet basis. In the case of tcp the packet deemed "bad" get's retransmitted and those retransmissions are dropped as well. Could you elaborate? Regards, Will On Wed, Jul 29, 2009 at 12:55 PM, <guerrilha () gmail com> wrote:Hi People, does anyone know if an inline compiled from snort core (./configure --enable-inline) has a timeout value for its drops (any default time i could have missed in snort's manual)? Or will the drops registered into iptables be there like... permanently? Kind regards, Ailton Caetano------------------------------------------------------------------------------Let Crystal Reports handle the reporting - Free Crystal Reports 200830-Daytrial. Simplify your report design, integration and deployment - andfocus onwhat you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler | Sourcefire | Google Voice: 302-223-5974
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort inline timeout guerrilha (Jul 29)
- Re: Snort inline timeout Joel Esler (Jul 29)
- Re: Snort inline timeout Will Metcalf (Jul 29)
- Re: Snort inline timeout guerrilha (Jul 29)
- Re: Snort inline timeout Joel Esler (Jul 30)
- Re: Snort inline timeout guerrilha (Jul 30)
- Re: Snort inline timeout Joel Esler (Jul 30)
- Re: Snort inline timeout Will Metcalf (Jul 30)
- Re: Snort inline timeout Frank Knobbe (Jul 30)
- Re: Snort inline timeout Joel Esler (Jul 30)
- Re: Snort inline timeout guerrilha (Jul 29)