FlexResp allows snort to actively close offending connections. To use FlexResp build and install LibNet, which is available from: http://www.packetfactory.net Just add the following to a rule: resp=<resp_modifier>[,<resp_modifier>...] where resp_modifier is one or more of rst_snd send TCP-RST packets to the sending socket rst_rcv send TCP-RST packets to the receiving socket rst_all send TCP_RST packets in both directions icmp_net send a ICMP_NET_UNREACH to the sender icmp_host send a ICMP_HOST_UNREACH to the sender icmp_port send a ICMP_PORT_UNREACH to the sender icmp_all send all above ICMP packets to the sender All these options can be combined (e.g. resp=rst_snd,icmp_all). The default is rst_snd. Rules can be written like this: # just stop the offender var RESP_TCP resp:rst_snd; # also kill a possible local counterpart var RESP_TCP_URG resp:rst_all; # tell'em we're gone ... var RESP_UDP resp:icmp_port,icmp_host; . . . alert tcp !$HOME_NET any -> $HOME_NET 1524 (msg: "default Backdoor access!"; flags: S; $RESP_TCP_URG) alert udp any any -> $HOME_NET 31 (msg:"Hackers Paradise"; $RESP_UDP) alert udp any any -> $HOME_NET 456 (msg:"Hackers Paradise"; $RESP_UDP) alert udp any any -> $HOME_NET 555 (msg:"iNi Killer/Phase Zero/Stealth Spy"; $RESP_UDP) alert tcp any any -> $HOME_NET 10752 (msg:"Linux mountd backdoor"; $RESP_TCP) . . . To enable this feature, use 'configure' with --enable-flexresp Consider this code as ALPHA. Heavy testing is needed. Christian Lademann <cal@zls.de>