Re: Blocking not friendly traffic

[Jeff <jeff () delnoch net>]

Snort is just intrusion detection, and needs to be used in conjunction
with a firewall product such as IPF/IPFW/IPTABLES/FW-1 (the list goes on).

and, I would also suggest patching your IIS server to prevent reinfection.

Jeff

> Hello
>
> I try defend my network from CodeRedI/II. How I do it.
> I use following:
> 1.  alert tcp any any -> any 80 (msg:" ...bla bla bla ...;resp:rst_all;)
>                                                            ^^^^^^^^^^^^
> 2. alert tcp any any -> any 80 (msg:" ...bla bla bla ...;react:block;)
>                                                           ^^^^^^^^^^^
> 3. I did find and try to use `hogwash':
>    drop tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: .......)
>    ^^^^
>    
> Nothing ... After some time my IIS5+Index server again infected.
> Question: with snort I can block this traffic or not? Or I must
> use normal firewall (like Firewall-1 or other firewall)???
>
> Sincerely yours,
> Lazarev Dim
> Technical support /Vgroup Ltd
>
> 30, Planetnay Str., 630015, Novosibirsk, Russia
> Tel.: +7 383 279 73 86
> E-mail: support () vgroup ru
> http://www.vgroup.ru
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users