0

Recently I installed Snort on my Ubuntu server 18.04 And also wrote some rules in local.rules . it will perfectly detect my rules like ping , simple dos attacks etc.

I have 4 questions :

  1. How can i block specific ip address , in Snort Detection rules ? (for example in dos detection rules)

  2. Does Snort store any data about detection like IPs, contents etc. in some database ? with apt-get install snort , mysql has been installed to .

  3. Is it possible to run a script on alert ?

  4. When i used reject action and start snort in console mode , I got

connection refused

error on ssh , and cant login to ssh anymore until restart the server . The rule is :

reject tcp any any -> $HOME_NET any (msg:"simple dos attack"; threshold:type both, count 50 , seconds 5 , track by_dst ; sid:1000001 )

Mehdi bmp
  • 121
  • 3

1 Answers1

0

The typical way to do this is run Snort in Inline mode and then modify the snort rules as shown under "Dropping Traffic" at the link above.

RE: #2 Snort will log to /var/log/alert (or similar, see snort config) to notify about what it is detecting.

RE: #3 There are ways to run a script on an alert but you need to plan on your script being called 1000s of times a second if snort is triggering on a bursty flood of traffic.

RE: #4 Not sure. Would need more info

Server Fault
  • 3,454
  • 7
  • 48
  • 88