Snort mailing list archives
Re: Using resp against a virus
From: Michael Boman <michael.boman () securecirt com>
Date: Wed, 10 Jul 2002 09:54:25 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 10 July 2002 05:39, Jeremy wrote:
Hello all, I was just curious if resp could be used to reset the connection when an email virus matches a rule. For example we get tons of Klez matches on our external snort box and I was wondering if we could use resp to reset the connection before it hits the smtp server. We do have anti-virus on the SMTP server so it does catch Klez and sanitize the email, but it would be nice to take some load off that server by reseting the connection before it even got that far. I was not sure how tearing down the connection would affect the Source SMTP server, would it keep trying to send the email or would it be stopped in its tracks. Please CC me any responses since I am not currently on this list. Thanks, Jeremy
If you reset the SMTP transmission the SMTP server on the other end will try again and again and again... You get the idea... <rant> Viruses should be stopped by a ANTI VIRUS software, NOT with a IDS software. Lets look at it: AV signatures: +50k, AV signatures in snort: 82 (quick 'grep - -c ^alert' in 1.8.7b7's virus.rules), probliy less as I guess they would work on both port 25 (SMTP) and port 110 (POP3). </rant> To summarize: Get a real anti-virus software - works much better... Letting _any_ IDS to take care of the virus problem can only give you a false sense of security. If your box is too loaded to handle all the viruses you should get some more money to upgrade it. Show the figures for the CTO/CEO/CFO telling them how efficient the AV is to protect the users (something like: we get in average x viruses per day). Best regards Michael Boman - -- Michael Boman Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd) http://www.securecirt.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9K5PWds5fQJiraJwRAmgjAJ0VPVcC0ROYDQ8fkCg7OCB4w/b+SACgsrcB lIlgjATNmIVxcwrM9daurjY= =1ugD -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Stuff, things, and much much more. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using resp against a virus Jeremy (Jul 09)
- Re: Using resp against a virus Michael Boman (Jul 09)
- Re: Using resp against a virus Jeff Kell (Jul 09)
- Re: Using resp against a virus -> LaBrea plugin? Frank Knobbe (Jul 09)
- Re: Using resp against a virus Jeff Kell (Jul 09)
- Re: Using resp against a virus Bennett Todd (Jul 10)
- Re: Using resp against a virus Michael Boman (Jul 09)