Hi, I'm currently running Portsentry on a box, and I've got it configured to add an ipchains rule firewalling off all access to an IP that touches one of the ports that Portsentry is listening on (after doing some sanity checks on where the portscan/port access came from).
I find the way that Portsentry runs (listening on a whole pile of dummy ports) reasonably unattractive, and I'd prefer to use snort to perform the same task if possible. Can snort be configured to call an external program when particular rules are matched (or better still, when a portscan is detected)? The resp and react rule keywords don't seem to quite cut it, and ideally I'd like something real time, not something that trolls snort's logs every n minutes and reacts retrospectively. regards Andrew
