Snort mailing list archives
RE: Code Red attacks
From: "Jason Withrow" <jwithrow () mediaone net>
Date: Mon, 17 Sep 2001 20:23:11 -0400
I like it. It makes complete sense to me. - Jason -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Greg Wright Sent: Monday, September 17, 2001 7:56 PM To: 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] Code Red attacks I liked the idea of configuring the server to return data to an exploited system that will patch the hole, however the potential legality issues frighten me, however I wonder... Isn't it possibly a little convoluted in that the exploited system that you are 'putting' data on is actually requesting *something* from your server initially. The action of 'putting data' is the serving of a request initiated by the infected system. If you were to put data on your web server system that stops CodeRed, and an affected box attempted to scan for and pass a request to your server, then the data that it passes back was not sent directly, but sent in response to a request. What is the general opinion on this? Regards, Greg Wright -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Tuesday, 18 September 2001 8:22 AM To: Jason Withrow Cc: 'Gordon Ewasiuk'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Code Red attacks On Mon, 17 Sep 2001, Jason Withrow wrote:
What is the legal issue, it is a purely defensive mechanism.
Well... I'm not a lawyer, but: You're doing _something_ to someone
elses
machine--Uninvited. That in and of itself can put you in a lot of legal
hotwater, depending on the remote sites security policy. Now, I'm not
arguing
the morality of what you're doing, or what you intend to do, but the act
of
accessing someone elses stuff without consent puts you into the same
class as
a 'hacker' in a lot of corportate security policy eyes.
Instead, "Do the Right Thing". :) Anyone from your local subnets, give
them
a call. Most of the CR{I,II,III} tend to target the local subnets over
remote
ones. A quick use of whois and traceroute will usually give you a fair
idea
of where someone is at physically.
Or simpler, block them at the router. ;-)
-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Code Red attacks, (continued)
- RE: Code Red attacks Erek Adams (Sep 17)
- RE: Code Red attacks Randy Bradley (Sep 18)
- RE: Code Red attacks F.M. Taylor (Sep 18)
- Re: Code Red attacks Alec Waters (Sep 18)
- RE: Code Red attacks Erek Adams (Sep 18)
- RE: Code Red attacks Adrian Mink (Sep 18)
- RE: Code Red attacks Erek Adams (Sep 18)
- RE: Code Red attacks Gordon Ewasiuk (Sep 17)
- RE: Code Red attacks Jason Withrow (Sep 17)
- RE: Code Red attacks Jason Withrow (Sep 17)
- RE: Code Red attacks Jason Withrow (Sep 17)
- RE: Code Red attacks Jason Withrow (Sep 17)
- RE: Code Red attacks Franki (Sep 18)
- Re: Code Red attacks Tim Olson (Sep 18)