Snort mailing list archives

Re: Code Red attacks

From: Alec Waters <alec.waters () dataline co uk>
Date: Tue, 18 Sep 2001 16:55:01 +0100

Hi Randy,

permit tcp any "my.web.server.ip" eq 80
deny tcp any any eq 80 log

   NIDS would still see CR attacks on valid servers but this should
stop the probes on invalid servers.  Any thoughts?


If your router platform supports NBAR, you can even stop Code Red from reaching
valid servers altogether. Take a look at this:

http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

It works a treat for me.

alec
--
Alec Waters
Dataline Software Ltd
Clarence House, 30-31 North Street, Brighton, BN1 1EB, UK

Tel: +44 (0)1273 324939
Fax: +44 (0)1273 205576
www: http://www.dataline.co.uk
wap: http://wap.dataline.co.uk


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Code Red attacks Peter Borner (Sep 17)
- Re: Code Red attacks Gordon Ewasiuk (Sep 17)
  - RE: Code Red attacks Jason Withrow (Sep 17)
    - RE: Code Red attacks Gordon Ewasiuk (Sep 17)
    - RE: Code Red attacks Jason Withrow (Sep 17)
    - RE: Code Red attacks Erek Adams (Sep 17)
    - RE: Code Red attacks Randy Bradley (Sep 18)
    - RE: Code Red attacks F.M. Taylor (Sep 18)
    - Re: Code Red attacks Alec Waters (Sep 18)
    - RE: Code Red attacks Erek Adams (Sep 18)
    - RE: Code Red attacks Adrian Mink (Sep 18)
    - RE: Code Red attacks Erek Adams (Sep 18)
    - RE: Code Red attacks Gordon Ewasiuk (Sep 17)
    - RE: Code Red attacks Jason Withrow (Sep 17)
- <Possible follow-ups>
- RE: Code Red attacks Greg Wright (Sep 17)
  - RE: Code Red attacks Jason Withrow (Sep 17)
    - RE: Code Red attacks Jason Withrow (Sep 17)
    - RE: Code Red attacks Jason Withrow (Sep 17)
    - RE: Code Red attacks Franki (Sep 18)

(Thread continues...)