Intrusion Detection - Snort

Matthew Moyle-Croft mmc at
Mon Dec 16 15:38:04 CST 2002

You really want to be VERY VERY careful about proactive stuff.

eg. What if I start flooding you with icmp packets which are supposedly from 
one of your more important client's email servers?  It'll drop a rule in 
blocking from the machine .. no email from client.

Personally, I don't see the risk is worth it:
- adding rules doesn't prevent traffic getting to you and thus costing you 
money or degrading link performance.
- it shouldn't stop anymore things that aren't already being stopped by your 
- most of the issue can be dealt with by using ratelimiting options on 
iptables which is really what you want anyway.


On Mon, 16 Dec 2002, Matthew Western wrote:

> Hi All,
> I've got snort going nicely and seeing all kinds of bad stuff when i test
> it.  My question does anyone on this list have the snort server do anything
> proactive?  i'm sure it would be possible to add iptables rules and all
> kinds of other things, but i'm wondering what do others do?   seems logical
> to if a CodeRed was seen coming though to add an iptable rule and log that
> you've added a rule...  any other ideas?
> M

Matthew at    | mmc at        |    mmc at | |

LinuxSA WWW: IRC: #linuxsa on
To unsubscribe from the LinuxSA list:
  mail linuxsa-request at with "unsubscribe" as the subject

More information about the linuxsa mailing list