Re: Snort and Cisco Pix

From: Kurt Seifried (
Date: 10/23/01

Message-ID: <017a01c15b45$f3d55500$>
From: "Kurt Seifried" <>
To: <>
Subject: Re: Snort and Cisco Pix
Date: Mon, 22 Oct 2001 16:07:33 -0600

Flex resp will do it. You could also use log monitoring software like swatch
to take an action if a rule is matched, you could have it update the
firewall list/etc. Personally I would reccomend extreme caution doing this,
if someone spoofs an attack from a partner or client you suddenly firewall
them, and the attacker has just executed a rather nice attack on your
system. The logic needed to prevent this would be simple but a goodlist of
sites you do not want to block would be fun to keep up to date (root
nameservers, partners, popular websites the boss likes, etc.).

Kurt Seifried,
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574

----- Original Message -----
From: "Jeremy" <>
To: <>
Sent: Monday, October 22, 2001 3:43 PM
Subject: Snort and Cisco Pix

Hello all,

  We were looking at the new Cisco IDS card that goes into their 6500's and
our cisco guy said that when it matches a signature it could update the pix
access lists to block traffic from that ip. We are currently running several
snort boxes and I was wondering if there was anything like that for snort.
Also, is there anything in snort now other than flex-resp that takes an
active role in stopping packets that match a certain signature?
  Sure would like to save our company $40K from having to buy 2 of those
cisco ids cards.