Re: [Snort-users] Block

At 11:16 AM 2/16/2004,
Israel_Guadalupe_Lopez_Mascorro../Administracion/Jalisco@jalisc wrote:
>Hi I would like to know if with snort or some plug I can block attacks or
>virus

For viruses, I'd really recomend NOT using snort to control these...
install a copy of clamav or some other virus scanner on your SMTP gateway
and make all mail go through it.

For attacks, there are 3 different tools that expand snort to have blocking
capability., with different limitations and degrees of capability:

1) flexresp
-not 100% reliable, but comes with snort, all you need is
--with-flexresp for your config. Relies on attempting to desynchronize or
reset TCP connections, or using ICMP error messages to make one or both
systems give up on the conversation.

2) snort-inline
- linux kernel specific at the moment, but does true kernel-level
firewall interaction as packets arrive.

3) snortsam
- supports a wide variety of firewalls, but acts slightly after
the fact. This means the packet that contained the trigger gets passed, but
subsequent packets will get blocked, limiting the impact of the exposure.



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users