On Tue, Sep 11, 2007 at 05:27:50PM +0300, Ovi wrote:
Hello
I am interested if anybody uses snort with pf to block in realtime ips
detected by snort as viruses, scans and so on.
I saw on mail lists that is working Snort + ipfw (snort_inline) but I
need pf for this setup.
Also I wonder if it is possible to block p2p traffic using such setup,
with p2p rules defined from Snort.
Best Regards,
ovidiu
We use a simple Perl script to do this with pf. The basic structure
is that we maintain a pf table of hosts to block, and the Perl script
watches for changes to the snort alert file, parses new entries, adds
those entries to the table, and kills all state to that IP address.
Of course, this is a pretty drastic measure, so we're very careful
about the rules we use in Snort. I believe that snort-inline just
blocks the offending packets (with the option to block the host
entirely, but there's no way to use snort-inline with pf.
with PF at the moment.
Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
