Snort time from detection to block


  • Banned

    The Snort time from detection to block is not helping me. Is there a way to inspect the packet and then pass it only if it passes the snort rule? I use snort only for one port on my email server, so a delay in the packets is no big deal, but the packets getting through are. Snort is only effective for the next time a bad IP comes in.

    Any suggestions?



  • Instead of a DROP rule, create one with PASS with Suricata inline.

    pfsense doesnt support snort inline yet, maybe when version 3  comes out.

    F.



  • maybe write your own custom Snort Rules: custom.rules?

    http://archive.oreilly.com/pub/h/1393


  • Banned

    So I can do this with Suricata?
    Is there a FAQ somewhere to explain using inline. I assume using this allows Suricata to review and drop the packet before it can be delivered.

    I already write my own custom rules. I was hoping there were some commands I could use. I understand the snort rules are compatible with Suricata too.


  • Banned

    Reading up on Suricata looks like the answer to my needs now that the inline option is available.
    Thanks


Log in to reply