Snort mailing list archives
Re: New to snort
From: Mike Poor <sp0re () digitz org>
Date: Mon, 1 Oct 2001 19:09:33 -0400
Johnno, there is this capability..."active response" (session sniping) or through the guardian scripts, which will put offending IP's in your block list in IP chains/tables. This is a very sketchy way to operate, as you are basically giving control of your firewall over to 'the bad guys'. Very easy way to dos your net, if the attacker knows what you are doing. It would be easier to set up snort to alert you, or put a higher rank on the alert, so that you can choose to add the real offending IP's to a block list. On Monday 01 October 2001 17:37, Johnno wrote:
I am very new to snort.. only installed it a few days ago.. what I want snort to do if it picks up alert tcp any any -> any 80 (content:"cmd.exe";msg:"cmd.exe exploit";) it will drop the connection end of story...
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New to snort Johnno (Oct 01)
- Re: New to snort Mike Poor (Oct 01)
- Re: New to snort Johnno (Oct 01)
- Re: New to snort Bruno Gimenes Pereti (Oct 02)
- Re: New to snort Johnno (Oct 01)
- <Possible follow-ups>
- New to snort Ali Eghtessadi (Oct 15)
- New to snort Philip Clark (Nov 09)
- Re: New to snort Guillaume (Nov 09)
- Re: New to snort Mike Poor (Oct 01)