Snort mailing list archives
Re: Antwort: Re: Blocking not friendly traffic
From: Dragos Ruiu <dr () kyx net>
Date: Tue, 7 Aug 2001 00:52:22 -0700
Danger Will Robinson: Conventional wisdom says that auto-blocking is inherently dangerous. However, for those that like to live at the bleeding edge of tech (and the separate process scanning logs and processing firewall commands sounds like a good way to do this...): Please remember to include an exclusion list and put on them important sites such as root servers, other important dns servers (yours, and important sites for your users), and in general any host you don't want to receive phone calls about being DoSed when they are spoofed - usually inconveniently like that first time you actually manage to get on vacation.... (i.e. imagine "Crisis: the ceo can't reach his favorite redlite.org game.... you have to fly back from the carribean asap....") cheers, --dr On Tue, 07 Aug 2001, ks () schuricht de wrote:
Hi Ralf,Nothing ... After some time my IIS5+Index server again infected. Question: with snort I can block this traffic or not? Or I must use normal firewall (like Firewall-1 or other firewall)???If the alert is triggered, the packet already infected your machine. So there's little you can do. Normal firewall won't help, because it's legitimate traffic (the point of a webserver is to server webpages!)I write a litte c-program that scans snort-logfiles all 15 minutes for several attacks. If we detect portscan, CodeReds a.s.o. the program rejects tcp/udp/icmptraffic for all 'enemy' hosts found (means: inserts a ipchains-Rules). It's a bit like guardian. Best regards, Kai. -- Abt. eBusiness / Entwicklung D. Schuricht GmbH & Co. KG http://www.schuricht.de Ralf Hildebrandt <Ralf.Hildebrandt@innominate. An: Snort-users () lists sourceforge net com> Kopie: Gesendet von: Thema: Re: [Snort-users] Blocking not friendly snort-users-admin@lists.sourc traffic eforge.net 07.08.01 08:20 On Tue, Aug 07, 2001 at 12:47:56PM +0700, ??????? ??????? wrote:Nothing ... After some time my IIS5+Index server again infected. Question: with snort I can block this traffic or not? Or I must use normal firewall (like Firewall-1 or other firewall)???If the alert is triggered, the packet already infected your machine. So there's little you can do. Normal firewall won't help, because it's legitimate traffic (the point of a webserver is to server webpages!) If you want servers that work, stay up, perform, and aren't rooted every other second, use Apache on OpenBSD. -- ralf.hildebrandt () innominate com innominate AG Technical Consultant Don't be afraid of what you see - Diplom-Informatiker be afraid of what you don't see! tel: +49.(0)7000.POSTFIX fax: +49.(0)30.308806-77 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Antwort: Re: Blocking not friendly traffic ks (Aug 07)
- Re: Antwort: Re: Blocking not friendly traffic Dragos Ruiu (Aug 07)