[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Snort-users] React & Resp keyword working

Dear Alberto,
 
Thx for this.
 
I go through the Snortsam and Hogwash, but they doesn't fullfill my requirement.
Actually for Hogwash, I have to put my snort box in a pass-through mode between the internal and external n/w and for Snortsam, it only modifies the rules for some firewall which is again at the gateway of the n/w.
Let say some internal guy is doing somethink ill-legal, then these two will not work.
Suppose I want that no porson in my internal network will not be able to do FTP within the network if the file contains some specified characters or say logging as "root".
So for it Snortsam and Hogwash will not be able to detect and take a action according to that. I want that as this guy initialte such things and when the Snort come to know about this then the connection is blocked automatically and a message is send to the user doing that.

Merry Christmas and a fruitful new year .......
Regards and have a nice day,
                           Atul Shrivastava
                           Info Structure Services
                           HCL INFOSYSTEMS LTD.
                           E - 4,5,6 Sector XI,
                           Noida - 201301
                           Tel: 91-120-2526910,2443013
 
----- Original Message -----
From: "Alberto Gonzalez" <albertg@cerebro.violating.us>
To: "Atul Shrivastava" <atulsh@hclinsys.com>
Sent: Tuesday, December 31, 2002 1:44 PM
Subject: Re: [Snort-users] React & Resp keyword working

> If you *haven't* compiled snort with flexresp, i think you can answer
> your own question if they will work.
> I suggest looking into snortsam for blocking of offending connections.
> That or Hogwash will do. You can
> use flexresp but I've seen people bork their networks cause of it. I've
> played with all three, and my choices
> will be hogwash and or snortsam for the job.
>
> Cheers,  
>     Alberto Gonzalez
>
> Atul Shrivastava wrote:
>
> > Hello,
> > 
> > I am quiet keen to know about the keyword "RESP" & "REACT"
> > I am working on Snort for a long time and now I need to forcely block
> > the connections which are not legal. So for that I need to use these
> > two keywords. I have got enough knowledge about these two keywords but
> > before going for it, I would like to ask you that I have not compiled
> > my snort (./configure) with flexresp.
> > So I want to know that whether these rules will work on my machine or
> > not. Further you have told that some message be sent to the user fot
> > it but it will be available soon. I am using the snort verison 1.9.1.
> > Is these facility is available in this verison.
> > Please help me in this issue. Thanks in advance.
> > 
> > Merry Christmas and a very happy new year ......
> > Regards and have a nice day,
> >                            Atul Shrivastava
> >                            Info Structure Services
> >                            HCL INFOSYSTEMS LTD.
> >                            E - 4,5,6 Sector XI,
> >                            Noida - 201301
> >                            Tel: 91-120-2526910,2443013
> > 
> > 
>
>
> --
> The secret to success is to start from scratch and keep on scratching.
>
questions/problems with archive to: webmaster@mcabee.org
Mail converted by MHonArc 2.5.12