How does snort performing the block action?

  • I'm curious how snort is blocking traffic and if it can in some way be modified.  Ideally I want snort or a L7 filter to identify users that are using P2P programs and redirect them to a remediation page that explains they will not have access to the internet until they disable the P2P program.

    If that can't be done, then it would be nice if snort could auto generate firewall rules to drop only the P2P traffic.

    Currently though when I enable the snort p2p rules and put it in IPS mode it blocks the user from communicating through the gateway, but I don't see how.  I look at the firewall rules and nothing has been added.  How does snort block a user/machine/IP?


  • It's in an anchor in the ruleset.

  • Thanks, and sorry about originally posting in the wrong area.

    Can you explain a little more or point me in the direction of where to look?  Is there any possibility of modifying the action to redirect the user to a remediation page or drop only the P2P traffic?  If we wanted to pay for support hours to cover the cost of developing this feature, how many hours would you estimate?

Log in to reply