Snort: drop, not block



  • Hi!

    How can i setup only to drop packet or. block ip for 0.1s or. max 5s?



  • Install cron package and reduce the time of snort expitetable and cron execute frequency



  • Any options to change this in snort config file?



  • minute hour mday month wday who command

    0 * * * * root /usr/bin/nice -n20 newsyslog

    1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a

    1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh

    */1 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 60 sshlockout

    1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update

    */1 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 60 virusprot

    30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables

    */5 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c

    What line?



  • Is this OK?

    Can yuu please explain lines? :)

    minute hour mday month wday who command

    0 * * * * root /usr/bin/nice -n20 newsyslog

    1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a

    1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh

    */1 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 1 sshlockout

    1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update

    */1 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 1 virusprot

    30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables

    */1 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 1 snort2c



  • */5 means run each 5 minutes.

    The -t 3600 command arg means remove ip only when it reaches 3600 seconds.

    So you may need to change */1 to * and -t 3600 to -t 50



  • Thanks!! :)

    Can you please help me explain what is line function:

    /usr/bin/nice -n20 newsyslog
    /usr/bin/nice -n20 /etc/rc.update_bogons.sh
    /usr/bin/nice -n20 /etc/rc.update_bogons.sh
    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 1 sshlockout
    /usr/bin/nice -n20 /etc/rc.dyndns.update
    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 1 virusprot
    /usr/bin/nice -n20 /etc/rc.update_urltables
    /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 1 snort2c



  • The only one with snort argsĀ  ;)

    Snort2c


Log in to reply