Hi
OpenBSD rocks and I have donated to this great cause :-)
Hope you can help. So I have the following setup:
DMZ
|
|
LAN-----OpenBSD/PF/Snort?------Internet
So in a nutshell I want to drop packets (not sessions) that match a IDS
signature after PF filtering.
So for example (PF is a Layer 3 filter):
1. A PF rule allows SMTP to the DMZ from the Internet
2. SMTP traffic is permitted by PF
3. IDS detects an attack packet that would be permitted by the above
rule
4. System (Snort) drops only the matching attack packets
So AFAIK flexresp, snortsam, snort2pf and guardian are out.
Snort has to be inline, which it is, so can I drop single packets after
PF filtering that match a signature?
Is this available currently, if so, how do I go about it, can something
be put together?
Thanks for your time.
Cheers
Richard
