Snort mailing list archives
Re: Using resp against a virus -> LaBrea plugin?
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 09 Jul 2002 22:23:08 -0500
On Tue, 2002-07-09 at 21:39, Jeff Kell wrote:
Michael Boman wrote:On Wednesday 10 July 2002 05:39, Jeremy wrote:I was just curious if resp could be used to reset the connection when an email virus matches a rule. For example we get tons of Klez matches on our external snort box and I was wondering if we could use resp to reset the connection before it hits the smtp server.If you reset the SMTP transmission the SMTP server on the other end will try again and again and again... You get the idea... <rant> Viruses should be stopped by a ANTI VIRUS software, NOT with a IDS software.Oh, I don't know, there's a certain satisfaction in tying up the sender SMTP and adding to their outbound queue...
Man! You just gave me an idea. How about a LaBrea plugin for Snort so that if a connection matches a signature, the connection will just be kept hanging like LaBrea does it! That oughta take care of viruses and worms alike... Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Using resp against a virus Jeremy (Jul 09)
- Re: Using resp against a virus Michael Boman (Jul 09)
- Re: Using resp against a virus Jeff Kell (Jul 09)
- Re: Using resp against a virus -> LaBrea plugin? Frank Knobbe (Jul 09)
- Re: Using resp against a virus Jeff Kell (Jul 09)
- Re: Using resp against a virus Bennett Todd (Jul 10)
- Re: Using resp against a virus Michael Boman (Jul 09)