Score:0

Snort: How to block suspicious Traffic?

ps flag

Snort comes by default (Debian) with a bunch of Rules. The are all configured as „Alert“. When I want to block suspicious traffic (IPS-Mode), do I need to change all Rules from Alert to Block or is there another mechanism?

What is best practice?

Score:0
ga flag

According to documentation: https://www.snort.org/faq/readme-filters You can set filters.

detection_filter is a new rule option that replaces the current threshold keyword in a rule. It defines a rate which must be exceeded by a source or destination host before a rule can generate an event.

rate_filter provides rate based attack prevention by allowing users to configure a new action to take for a specified time when a given rate is exceeded.

event_filter is a standalone command which replaces 'threshold', which is now obsolete. event_filters reduce the amount of data logged.

Score:0
us flag

Using snort locally installed on your production server is not a good idea. since in case of an attack, it uses the resources of your local server to protect the service, and this causes the resource overload and the service itself goes down.

it's a good idea to separate this type of service(IDP(Intrusion-Detection_Prevention)) from your production servers.

Another suggestion is to use pfSense instead. Pfsense is a BSD-based (FreeBSD) firewall with Snort and many other components enabled on it with a great nice and clean GUI. Although I'm a great fan of command-line, but in some cases, especially attacks, ease of use is a plus point.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.