Re:Blocking not friendly traffic

[Shaiful <shaifuljahari () yahoo com>]

Hi,

I'm a satisfied Hogwash's customer.  For Code Red 2,
the following rule works fine for me:

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-IIS ISAPI CodeRed II Worm"; dsize: >576;
flags:A+; content: "|00 00 00 43 6F 64 65 52 65 64 49
49 00 8B 1C 24|";)

Regards,
Shaiful

> Hello
>
> I try defend my network from CodeRedI/II. How I do
> it.
> I use following:
> 1.  alert tcp any any -> any 80 (msg:" ...bla bla
> bla ...;resp:rst_all;)
>                                                     
>       ^^^^^^^^^^^^
> 2. alert tcp any any -> any 80 (msg:" ...bla bla bla
> ...;react:block;)
>                                                     
>      ^^^^^^^^^^^
> 3. I did find and try to use `hogwash':
>    drop tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:
> .......)
>    ^^^^
>    
> Nothing ... After some time my IIS5+Index server
> again infected.
> Question: with snort I can block this traffic or
> not? Or I must
> use normal firewall (like Firewall-1 or other
> firewall)???
>
> Sincerely yours,
> Lazarev Dim
> Technical support /Vgroup Ltd
>
> 30, Planetnay Str., 630015, Novosibirsk, Russia
> Tel.: +7 383 279 73 86
> E-mail: support () vgroup ru
> http://www.vgroup.ru


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users