SNORT IDS

hi i have configured snort its working fine. now I want to do few things ie

1:- If any one from outside tried to intrude in some devices like router its mail that ip to admin email id
2:- if there is some attack like dos etc it mail id to admin and block the ip

could any one tell me how to do that and how to make rule to  fullfill above creteria and run snort in IDS mode
NeerVermaAsked:
Who is Participating?
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
SnortSam can also be used to update firewalls, but if your snort is listening on the outside exclusively your doomed to fail. The outside is under constant attack, and following up on the alerts is practically a waste of time, most times the data never makes it thru the firewall or routers ACL's, but snort will see these dozens if not hundreds of attacks and log/alert on them, but if they don't get through, it's a false positive. We find it's best to put the firewall on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat. DDoS is probably not something you can handle as a customer, the ISP is better suited to address such blocks and they are equiped (typically) do see the traffic and do something about it more than a firewall rule is. If it's 2-3 host's your firewall logs should be able to show you that, and then adding a drop rule for them makes sense. Sending RST packets via snort is one way to deal with it, but often it's spoofed src information so the RST never reaches it's destination.
-rich
0
 
gheistCommented:
you need flexresp feature compiled in snort and then edit config files.
no need to block attacks that do not reach any service
danger to block icmp parameters or udp, as they can be easily forget to make you lock out yourself.
0
 
Rich RumbleSecurity SamuraiCommented:
correction > We find it's best to put the firewall on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat.
Should read
We find it's best to put SNORT on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat.
-rich
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
NeerVermaAuthor Commented:
how i can configured email address so that in case of alert it mail it to admin
0
 
NeerVermaAuthor Commented:
could any one let me know how i snort can send alerts to my email id
0
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
You need to use an alternate program to email snort alerts, whatever your frontend is for snort, which could be Base, Aanval, Snorby or Sguil. Snort itself lacks the ability.
-rich
0
 
QlemoDeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0
All Courses

From novice to tech pro — start learning today.