Re: New to snort

["Johnno" <valentine () xtra co nz>]

so how would a go about  stopping the cmd.exe etc..  as these are hitting
the network about every 2-3 hours.. altho i am using linux.. i am finding it
a pain as my apache logs are filled up with this sort of junk...

I am wanting to stop it at the gateway computer so my logs don't get full of
this virus/hacker attempt.

because the ip changes all the time using a normal firewall it not going to
cut..  Then I was told about snort and how it could stop this junk getting
throw....

Many Thanks,
                        Johnno

----- Original Message -----
From: "Mike Poor" <sp0re () digitz org>
To: "Johnno" <valentine () xtra co nz>; <snort-users () lists sourceforge net>
Sent: Tuesday, 2 October 2001 11:09
Subject: Re: [Snort-users] New to snort


> Johnno,
>
> there is this capability..."active response" (session sniping) or through
the
> guardian scripts, which will put offending IP's in your block list in IP
> chains/tables.  This is a very sketchy way to operate, as you are
basically
> giving control of your firewall over to 'the bad guys'.  Very easy way to
dos
> your net, if the attacker knows what you are doing.
> It would be easier to set up snort to alert you, or put a higher rank on
the
> alert, so that you can choose to add the real offending IP's to a block
list.
> On Monday 01 October 2001 17:37, Johnno wrote:
> > I am very new to snort.. only installed it a few days ago..
> >
> > what I want snort to do if it picks up
> >
> > alert tcp any any -> any 80
> > (content:"cmd.exe";msg:"cmd.exe exploit";)
> > it will drop the connection end of story...


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users