RE: Code Red attacks

["Adrian Mink" <adrian () minkland com>]

I have already done exactly that, for the same reasons. It works
great. 

Adrian

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams
Sent: Tuesday, September 18, 2001 11:04 AM
To: Randy Bradley
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Code Red attacks


On Tue, 18 Sep 2001, Randy Bradley wrote:

>    I also have had just about enough CR alerts and was thinking along
> those lines.  Can you share an example?  I am thinking of adding
> these lines to my access-group in list:
>
> permit tcp any "my.web.server.ip" eq 80
> deny tcp any any eq 80 log
>
>    NIDS would still see CR attacks on valid servers but this should
> stop the probes on invalid servers.  Any thoughts?

Should work fine.  I'm sure Cisco has a handy-dandy guide on how to setup
those filters.  They got slammed with CR on some of the DSL routers.  Surf
the site and see what you can turn up.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users