From frank at snortsam.net Sun Nov 8 18:30:46 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sun, 08 Nov 2009 17:30:46 -0600 Subject: [Snortsam-discussion] New Snortsam version 2.86: Major PF/PF2 clean-up Message-ID: <1257723046.79502.2.camel@localhost> Greetings, Olli Hauer submitted a new version of the PF2 plugin. It now supports the tear-down and disconnect of existing sessions. In the past, Snortsam added the IP to groups for block action, but that only blocked new connections. Existing sessions (for example, brute-force attacks) remained open. Now the session can be killed. Please read the README.pf2 documentation included in the FTP and CVS docs directory and in the source tarball. Olli also did some clean-up on the older PF plugin. Table names and now fixed. The code may no longer work on OpenBSD older than 3.3, but should work without problems on all newer versions. Thanks Olli! I also brought the plugin version numbers listed on startup of Snortsam in sync with the respective versions of the plugin in CVS. CVS and FTP have been updated with the new Snortsam version, now at version 2.68. Enjoy, Frank From frank at snortsam.net Thu Nov 26 22:23:48 2009 From: frank at snortsam.net (Frank Knobbe) Date: Thu, 26 Nov 2009 21:23:48 -0600 Subject: [Snortsam-discussion] New Snortsam version 2.69: Tweaks to pf2 and new makesnortsam.sh script Message-ID: <1259292228.56214.9.camel@localhost> Greetings, Olli Hauer submitted some tweaks to the pf2 plugin, and some clean-up to other code. In addition, a new version of makesnortsam.sh has been created that makes it easier to modify things (like adding a custom source file). Great work Olli! CVS and FTP have been updated with the new Snortsam version, now at version 2.69. Hope everyone had a great Thanksgiving! Enjoy, Frank From vpbalint at gmail.com Sun Nov 29 08:17:52 2009 From: vpbalint at gmail.com (Varga-Perke Balint) Date: Sun, 29 Nov 2009 14:17:52 +0100 Subject: [Snortsam-discussion] change iptables rules Message-ID: Dear List, I'm using SnortSam with iptables on Linux and I would like to change the iptables rules snortsam applies after recieving an alert. I patched and compiled snort 2.8.4.1 with the appropriate patch and I rewrote the ssp_iptables.c(?) file as described in the docs and compiled snortsam. The strange thing is that snort applies the original rules even if snortsam is not running! I couldn't find any iptables rules defined in the patched snort's source files. How is this possible and where can I rewrite those iptables rules? Thank you: -- Varga-Perke Balint vpbalint at gmail.com