Re: Snort and Cisco PixFrom: Kurt Seifried (email@example.com)
- Previous message: Wiese, Sean P.: "RE: Snort and Cisco Pix"
- In reply to: Jeremy: "Snort and Cisco Pix"
- Next in thread: Branden Hancock: "RE: Snort and Cisco Pix"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <firstname.lastname@example.org> From: "Kurt Seifried" <email@example.com> To: <firstname.lastname@example.org> Subject: Re: Snort and Cisco Pix Date: Mon, 22 Oct 2001 16:07:33 -0600
Flex resp will do it. You could also use log monitoring software like swatch
to take an action if a rule is matched, you could have it update the
firewall list/etc. Personally I would reccomend extreme caution doing this,
if someone spoofs an attack from a partner or client you suddenly firewall
them, and the attacker has just executed a rather nice attack on your
system. The logic needed to prevent this would be simple but a goodlist of
sites you do not want to block would be fun to keep up to date (root
nameservers, partners, popular websites the boss likes, etc.).
We were looking at the new Cisco IDS card that goes into their 6500's and
our cisco guy said that when it matches a signature it could update the pix
access lists to block traffic from that ip. We are currently running several
snort boxes and I was wondering if there was anything like that for snort.
Also, is there anything in snort now other than flex-resp that takes an
active role in stopping packets that match a certain signature?
Sure would like to save our company $40K from having to buy 2 of those
cisco ids cards.