Portsentry vs snort
I'm currently running Portsentry on a box, and I've got it configured to add an
ipchains rule firewalling off all access to an IP that touches one of the ports
that Portsentry is listening on (after doing some sanity checks on where the
portscan/port access came from).
I find the way that Portsentry runs (listening on a whole pile of dummy ports)
reasonably unattractive, and I'd prefer to use snort to perform the same task if
Can snort be configured to call an external program when particular rules are
matched (or better still, when a portscan is detected)?
The resp and react rule keywords don't seem to quite cut it, and ideally I'd
like something real time, not something that trolls snort's logs every n minutes
and reacts retrospectively.