Re: Snort and Cisco Pix

From: Kurt Seifried (bugtraq@seifried.org)
Date: 10/23/01


Message-ID: <017a01c15b45$f3d55500$6400030a@seifried.org>
From: "Kurt Seifried" <bugtraq@seifried.org>
To: <focus-ids@securityfocus.com>
Subject: Re: Snort and Cisco Pix
Date: Mon, 22 Oct 2001 16:07:33 -0600

Flex resp will do it. You could also use log monitoring software like swatch
to take an action if a rule is matched, you could have it update the
firewall list/etc. Personally I would reccomend extreme caution doing this,
if someone spoofs an attack from a partner or client you suddenly firewall
them, and the attacker has just executed a rather nice attack on your
system. The logic needed to prevent this would be simple but a goodlist of
sites you do not want to block would be fun to keep up to date (root
nameservers, partners, popular websites the boss likes, etc.).

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/

----- Original Message -----
From: "Jeremy" <prrthd@myrealbox.com>
To: <focus-ids@securityfocus.com>
Sent: Monday, October 22, 2001 3:43 PM
Subject: Snort and Cisco Pix

Hello all,

  We were looking at the new Cisco IDS card that goes into their 6500's and
our cisco guy said that when it matches a signature it could update the pix
access lists to block traffic from that ip. We are currently running several
snort boxes and I was wondering if there was anything like that for snort.
Also, is there anything in snort now other than flex-resp that takes an
active role in stopping packets that match a certain signature?
  Sure would like to save our company $40K from having to buy 2 of those
cisco ids cards.

Thanks,
   Jeremy