Snort mailing list archives

Re: RE: Cod Red HELP!!!!

From: Jed Haile <jhaile () nitrodata com>
Date: Tue, 7 Aug 2001 08:44:04 -0600


Take a  look at hogwash, http://hogwash.sourceforge.net.  It can drop all 
code red scans quite nicely and ease the load on your web servers.

Jed


On Tuesday 07 August 2001 07:18 am, Theo Zourzouvillys wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This probably isn't the right place to be answering, so sorry for
being off topic.

We are using Cisco CS-800's (formely Arrowpoint) with a content rule
to block any default.ida's.  the requests never even get through to
the server. I don't know if any cisco routers do layer 5 rules
though.

The other option would be to set up a snort rule, and have it add
iptables rules, but with (last figure I heard) 8000 hosts infected,
that's gonna make a lot of rules.

Theo

Theo Zourzouvillys
Internet Consultant

 + Notnet Consultancy [ www.notnet.co.uk ]
 - Specialising in Unix security, ISP Start-up and regeneration,
 - MySQL solutions, E-commerce, and Load balancing.
 + Notnet.co.uk - Quality web hosting at an affordable price
 - http://www.notnet.co.uk/
 + theo () crazygreek co uk

- -----Original Message-----
From: netfilter-admin () lists samba org
[mailto:netfilter-admin () lists samba org] On Behalf Of Advanced
Hosting UNIX Admin Daniel Fairchild
Sent: 07 August 2001 13:52
To: snort-users () lists sourceforge net; netfilter () lists samba org;
bridge () math leidenuniv nl
Subject: Cod Red HELP!!!!

Hello TIA


we are having issues with code red on our unix servers we have 508
IPs per
server and the Code Red scanning is acting like a Massive DDoS on our
unix
machines we are getting all these requests for default.ida and we are
trying
to figure out how to block it

does any one have any sugesstions.


TIA again

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO2/qs+OPAq8KU5+mEQLpVACfa/Tte8PLuMyJi58ORYo4Vr9sq0wAniAL
srTW9+keQpUlTc/PxP2CW/g0
=8zKJ
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Cod Red HELP!!!! Advanced Hosting UNIX Admin Daniel Fairchild (Aug 07)
- Re: Cod Red HELP!!!! Ralf Hildebrandt (Aug 07)
- RE: Cod Red HELP!!!! Theo Zourzouvillys (Aug 07)
  - Re: RE: Cod Red HELP!!!! Jed Haile (Aug 07)
- Re: Cod Red HELP!!!! s I n (Aug 07)
- Re: Cod Red HELP!!!! Lance Spitzner (Aug 07)
- <Possible follow-ups>
- RE: Cod Red HELP!!!! van Oosterom, Peter (Aug 07)
  - Re: Cod Red HELP!!!! Ralf Hildebrandt (Aug 07)
    - RE: Cod Red HELP!!!! Mark Spieth (Aug 07)
- RE: Cod Red HELP!!!! Nigel Morse (Aug 07)
  - RE: Cod Red HELP!!!! s I n (Aug 07)
    - RE: Cod Red HELP!!!! Carolyn Beckman (Aug 07)
    - Code Red and port 443 (was RE: Code Red HELP!!!!) George D. Nincehelser (Aug 07)
    - Re: Code Red and port 443 (was RE: Code Red HELP!!!!) Carolyn Beckman (Aug 07)

(Thread continues...)