Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous
Next: 5.7 What is the Up: 5 Getting Fancy Previous: 5.5 How to start

5.6 Is it possible with snort to add a ipfilter/ipfw rule to a firewall?

Yes, with additional software in the contrib directory. But this can be dangerous and is not recommended unless you know what you're doing.

But one caveat... running external binaries can also be a performance limiter and your should read the caution below...

CHRISTOPHER CRAMER wrote:

I'm sure this has been mentioned before in similar discussions, but this feels like a _really_ bad idea. What if the bad guys realize what is going on and make use of your blocking method as a DoS attack. All one would have to do start sending a series of triggering packets with spoofed IP addresses.

Since I am no longer interested in breaking into your site, but rather making your life hell, I don't worry about the resulting data getting back to me. All I have to do is start proceeding up a list of IP addresses that I think you should no longer be able to talk to. When you come in the next morning, you find that you can no longer access the world.

Just my $0.02.

Danger Will Robinson: Conventional wisdom says that auto-blocking is inherently dangerous.

However, for those that like to live at the bleeding edge of tech (and the separate process scanning logs and processing firewall commands sounds like a good way to do this...):

Please remember to include an exclusion list and put on them important sites such as root servers, other important dns servers (yours, and important sites for your users), and in general any host you don't want to receive phone calls about being DoSed when they are spoofed - usually inconveniently like that first time you actually manage to get on vacation.... (i.e. imagine ``Crisis: the CEO can't reach his favorite redlite.org game.... you have to fly back from the Carribean ASAP....'')

next up previous
Next: 5.7 What is the Up: 5 Getting Fancy Previous: 5.5 How to start
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.