Snort mailing list archives
Antwort: Re: Antwort: Re: Blocking not friendly traffic
From: ks () schuricht de
Date: Tue, 7 Aug 2001 10:26:54 +0200
Hi dr,
Danger Will Robinson: Conventional wisdom says that auto-blocking is inherently dangerous.
You are right :) I also analyze logfiles every day by hand to see if everything works right (i know that the administration of such security related things never can be done by a script ;). The 'auto-ban-list' only is a first reaction to attackers (i don't wan't to sit on console 24 hours...i can't sleep on a keyboard...it's to hard ;) Also there exists (of course :) a big 'exlude'-list for hosts/networks not to reject trafiic from. Best regards, Kai. -- Abt. eBusiness / Entwicklung D. Schuricht GmbH & Co. KG http://www.schuricht.de Dragos Ruiu <dr () kyx net> An: ks () schuricht de, Ralf Hildebrandt <Ralf.Hildebrandt () innominate com> 07.08.01 Kopie: Snort-users () lists sourceforge net, 09:52 snort-users-admin () lists sourceforge net Thema: Re: Antwort: Re: [Snort-users] Blocking not friendly traffic cheers, --dr On Tue, 07 Aug 2001, ks () schuricht de wrote:
Hi Ralf,Nothing ... After some time my IIS5+Index server again infected. Question: with snort I can block this traffic or not? Or I must use normal firewall (like Firewall-1 or other firewall)???If the alert is triggered, the packet already infected your machine. So there's little you can do. Normal firewall won't help, because it's legitimate traffic (the point of a webserver is to server webpages!)I write a litte c-program that scans snort-logfiles all 15 minutes for several attacks. If we detect portscan, CodeReds a.s.o. the program rejects tcp/udp/icmptraffic for all 'enemy' hosts found (means: inserts a ipchains-Rules). It's a bit like guardian. Best regards, Kai. -- Abt. eBusiness / Entwicklung D. Schuricht GmbH & Co. KG http://www.schuricht.de Ralf Hildebrandt <Ralf.Hildebrandt@innominate. An:
Snort-users () lists sourceforge net
com> Kopie:
Gesendet von: Thema: Re:
[Snort-users] Blocking not friendly
snort-users-admin@lists.sourc traffic eforge.net 07.08.01 08:20 On Tue, Aug 07, 2001 at 12:47:56PM +0700, ??????? ??????? wrote:Nothing ... After some time my IIS5+Index server again infected. Question: with snort I can block this traffic or not? Or I must use normal firewall (like Firewall-1 or other firewall)???If the alert is triggered, the packet already infected your machine. So there's little you can do. Normal firewall won't help, because it's legitimate traffic (the point of a webserver is to server webpages!) If you want servers that work, stay up, perform, and aren't rooted every other second, use Apache on OpenBSD. -- ralf.hildebrandt () innominate com innominate AG Technical Consultant Don't be afraid of what you see - Diplom-Informatiker be afraid of what you don't see! tel: +49.(0)7000.POSTFIX fax: +49.(0)30.308806-77 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Antwort: Re: Antwort: Re: Blocking not friendly traffic ks (Aug 07)