Snort mailing list archives

Blocking not friendly traffic

From: Лазарев Дмитрий <dim () vgroup ru>
Date: Tue, 7 Aug 2001 12:47:56 +0700


Hello

I try defend my network from CodeRedI/II. How I do it.
I use following:
1.  alert tcp any any -> any 80 (msg:" ...bla bla bla ...;resp:rst_all;)
                                                           ^^^^^^^^^^^^
2. alert tcp any any -> any 80 (msg:" ...bla bla bla ...;react:block;)
                                                          ^^^^^^^^^^^
3. I did find and try to use `hogwash':
   drop tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: .......)
   ^^^^
   
Nothing ... After some time my IIS5+Index server again infected.
Question: with snort I can block this traffic or not? Or I must
use normal firewall (like Firewall-1 or other firewall)???

Sincerely yours,
Lazarev Dim
Technical support /Vgroup Ltd

30, Planetnay Str., 630015, Novosibirsk, Russia
Tel.: +7 383 279 73 86
E-mail: support () vgroup ru
http://www.vgroup.ru


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Blocking not friendly traffic Лазарев Дмитрий (Aug 06)
- Re:Blocking not friendly traffic Shaiful (Aug 06)
- Re: Blocking not friendly traffic Jeff (Aug 06)
- Re: Blocking not friendly traffic Ralf Hildebrandt (Aug 06)
- Re: Blocking not friendly traffic Ralf Hildebrandt (Aug 06)