[Snortsam-discussion] Snortsam with preprocessor
Frank Knobbe
frank at snortsam.net
Sun May 3 09:01:18 EDT 2009
On Wed, 2009-04-29 at 17:23 -0300, Tiago Giovanaz da Silva wrote:
> Can I use the snortsam to block alerts from preprocessor?
>
> I need to use the Conficker preprocessor
> (http://mtc.sri.com/Conficker/contrib/plugin.html)
No. By default, Snortsam only blocks on rules, not on any preprocessor
logins. That said, someone had modified the Snortsam plugin to work with
the portscan preproc and it apparently worked. The problem with
preprocessors is that you will have to hard code which IP you want to
block (src or dst) at the moment. Maybe in the future a gen-block.map
could be added to allow for blocking of gen_id/sig_id pairs (and picking
src or dst).
Regards,
Frank
More information about the Snortsam-discussion
mailing list