I have installed snort-inline in Centos
http://snort-inline.sourceforge.net/download.html, Version:
snort_inline-2.6.1.5.tar.gz
I work very well, it can Alert or Drop packet well!
*In iptable rule, I monitor only port 80:*
iptables -I INPUT -p tcp --dport 80 -j QUEUE
iptables -I OUTPUT -p tcp --sport 80 -j QUEUE
*In rule, I use only one rule for test:*
#Drop all access to webserver if more than 10 access/second
drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC access"; flow:to_server, established; uricontent:"/";
nocase; reference:nessus,10302; classtype:web-application-activity;
threshold: type both , track by_dst, count 10 , seconds 10 ; sid:1852;
rev:1;)
(I refer this rule at:
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.thresholding?rev=1.5
)
*But now, I have problem:
* When drop packet, snort-inline BLOCKs that IP and Snort-inline seem
NOT release that IP ----> It means snort-inline BLOCK that IP forever
(untill restart snort-inline)
So, I want snort inline drop/block one IP in time range (ex, some
minute).
How to do this?
*Thank you in advanced!
*
|
