Re: Inoculation Scripts

[Valdis.Kletnieks () vt edu]

On Wed, 21 Jul 2004 13:31:15 CDT, Joshua Berry said:
> I use Snort with Flexresp and Snort Inline, I am just playing around
> with this for now.  While Snort-Inline or Flexresp can keep resetting or
> blocking connections, this solution actually removes the worm and cleans
> up the system.  The reality is that large networks have an incredibly
> difficult time patching systems effectively and I am just playing around
> with this in a test network to see how well it works.

Been there, done that.  The *real* reality is you need to make *really* sure
you have your posterior covered in case some Very Self-Important User's machine
doesn't patch correctly...

(And in fact, it's usually a technically reasonable thing to do, the hang-up is *always*
avoiding the liability issues if a machine that isn't your responsibility to fix *anyhow*
gets broken by the patching..)

Attachment: _bin
Description: