Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 743
  • Last Modified:

SNORT IDS

hi i have configured snort its working fine. now I want to do few things ie

1:- If any one from outside tried to intrude in some devices like router its mail that ip to admin email id
2:- if there is some attack like dos etc it mail id to admin and block the ip

could any one tell me how to do that and how to make rule to  fullfill above creteria and run snort in IDS mode
0
NeerVerma
Asked:
NeerVerma
2 Solutions
 
gheistCommented:
you need flexresp feature compiled in snort and then edit config files.
no need to block attacks that do not reach any service
danger to block icmp parameters or udp, as they can be easily forget to make you lock out yourself.
0
 
Rich RumbleSecurity SamuraiCommented:
SnortSam can also be used to update firewalls, but if your snort is listening on the outside exclusively your doomed to fail. The outside is under constant attack, and following up on the alerts is practically a waste of time, most times the data never makes it thru the firewall or routers ACL's, but snort will see these dozens if not hundreds of attacks and log/alert on them, but if they don't get through, it's a false positive. We find it's best to put the firewall on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat. DDoS is probably not something you can handle as a customer, the ISP is better suited to address such blocks and they are equiped (typically) do see the traffic and do something about it more than a firewall rule is. If it's 2-3 host's your firewall logs should be able to show you that, and then adding a drop rule for them makes sense. Sending RST packets via snort is one way to deal with it, but often it's spoofed src information so the RST never reaches it's destination.
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
correction > We find it's best to put the firewall on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat.
Should read
We find it's best to put SNORT on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat.
-rich
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
NeerVermaAuthor Commented:
how i can configured email address so that in case of alert it mail it to admin
0
 
NeerVermaAuthor Commented:
could any one let me know how i snort can send alerts to my email id
0
 
Rich RumbleSecurity SamuraiCommented:
You need to use an alternate program to email snort alerts, whatever your frontend is for snort, which could be Base, Aanval, Snorby or Sguil. Snort itself lacks the ability.
-rich
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Tackle projects and never again get stuck behind a technical roadblock.
Join Now