Snort mailing list archives
Re:Blocking not friendly traffic
From: Shaiful <shaifuljahari () yahoo com>
Date: Mon, 6 Aug 2001 23:09:46 -0700 (PDT)
Hi, I'm a satisfied Hogwash's customer. For Code Red 2, the following rule works fine for me: drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI CodeRed II Worm"; dsize: >576; flags:A+; content: "|00 00 00 43 6F 64 65 52 65 64 49 49 00 8B 1C 24|";) Regards, Shaiful
Hello I try defend my network from CodeRedI/II. How I do it. I use following: 1. alert tcp any any -> any 80 (msg:" ...bla bla bla ...;resp:rst_all;) ^^^^^^^^^^^^ 2. alert tcp any any -> any 80 (msg:" ...bla bla bla ...;react:block;) ^^^^^^^^^^^ 3. I did find and try to use `hogwash': drop tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: .......) ^^^^ Nothing ... After some time my IIS5+Index server again infected. Question: with snort I can block this traffic or not? Or I must use normal firewall (like Firewall-1 or other firewall)??? Sincerely yours, Lazarev Dim Technical support /Vgroup Ltd 30, Planetnay Str., 630015, Novosibirsk, Russia Tel.: +7 383 279 73 86 E-mail: support () vgroup ru http://www.vgroup.ru
__________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Blocking not friendly traffic Лазарев Дмитрий (Aug 06)
- Re:Blocking not friendly traffic Shaiful (Aug 06)
- Re: Blocking not friendly traffic Jeff (Aug 06)
- Re: Blocking not friendly traffic Ralf Hildebrandt (Aug 06)
- Re: Blocking not friendly traffic Ralf Hildebrandt (Aug 06)