Snort mailing list archives
Re: New to snort
From: "Johnno" <valentine () xtra co nz>
Date: Tue, 2 Oct 2001 13:25:18 +1200
so how would a go about stopping the cmd.exe etc.. as these are hitting the network about every 2-3 hours.. altho i am using linux.. i am finding it a pain as my apache logs are filled up with this sort of junk... I am wanting to stop it at the gateway computer so my logs don't get full of this virus/hacker attempt. because the ip changes all the time using a normal firewall it not going to cut.. Then I was told about snort and how it could stop this junk getting throw.... Many Thanks, Johnno ----- Original Message ----- From: "Mike Poor" <sp0re () digitz org> To: "Johnno" <valentine () xtra co nz>; <snort-users () lists sourceforge net> Sent: Tuesday, 2 October 2001 11:09 Subject: Re: [Snort-users] New to snort
Johnno, there is this capability..."active response" (session sniping) or through
the
guardian scripts, which will put offending IP's in your block list in IP chains/tables. This is a very sketchy way to operate, as you are
basically
giving control of your firewall over to 'the bad guys'. Very easy way to
dos
your net, if the attacker knows what you are doing. It would be easier to set up snort to alert you, or put a higher rank on
the
alert, so that you can choose to add the real offending IP's to a block
list.
On Monday 01 October 2001 17:37, Johnno wrote:I am very new to snort.. only installed it a few days ago.. what I want snort to do if it picks up alert tcp any any -> any 80 (content:"cmd.exe";msg:"cmd.exe exploit";) it will drop the connection end of story...
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New to snort Johnno (Oct 01)
- Re: New to snort Mike Poor (Oct 01)
- Re: New to snort Johnno (Oct 01)
- Re: New to snort Bruno Gimenes Pereti (Oct 02)
- Re: New to snort Johnno (Oct 01)
- <Possible follow-ups>
- New to snort Ali Eghtessadi (Oct 15)
- New to snort Philip Clark (Nov 09)
- Re: New to snort Guillaume (Nov 09)
- Re: New to snort Mike Poor (Oct 01)