SnortSam is an intrusion prevention plugin for Snort. It functions by adding a new response to a Snort rule that allows the rule to trigger a change to a firewall or router. The change is usually to block or disallow traffic from or to a particular IP address for a period of time. SnortSam works with the Checkpoint Firewall-1 and Cisco PIX brands of firewalls. It also works with most Cisco-brand routers.

The idea behind implementing SnortSam is that you would be able to detect the early phases or components of an attack and automatically respond before the attacker could complete the attack. An example is reconnaissance attacks: If Snort detects a zone transfer attempt against a DNS server from an untrusted source, a blocking request ...

Get Intrusion Detection with Snort now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.