Snort mailing list archives
using flex response to block auto updates of client software
From: Madhav Diwan <mdiwan () wagweb com>
Date: Wed, 09 Jan 2002 10:36:55 -0500
Hi everyone.. I was wondering if this was possible. And if so how would i go about doing it.. as in setting up the rule and testing whether it would work. I would like to put an IDS in place on a proxy server that handles mainly tcp connections from several clients to a external service provider running a tcp server over nonstandard ports. This/these server/s i dont know if there is one or many .. autoupdates the client software on the internal windows/nt machines .. without notification or requesting authorization from the admin or user of the client machine. I want to set up a system using flex response to block auto updates of client software, untill the local lan admin says its ok fro the auto update to occur. Also .. will there be any problem setting up snort 1.8.3 rpm on a RedHat 6.2 box ( my proxy server)? I know the port numbers and the mac numbers involved , i can tcpdump the traffic and get a look at the content of the packets .. but its hard to know what to look for , especially as we dont know what things are getting updated or when .. we do know that some dll's and exe files get updated. ( plus there is a chance that the traffic between client and server is encrypted with the softwares own scheme) what should i look for so i can create the right signature? Thank you Madhav Diwan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- using flex response to block auto updates of client software Madhav Diwan (Jan 09)
- Re: using flex response to block auto updates of client software Glenn Forbes Fleming Larratt (Jan 09)
- Re: using flex response to block auto updates of clientsoftware Madhav Diwan (Jan 09)
- using flex response to block auto updates of clientsoftware Murphy (Jan 09)
- Re: using flex response to block auto updates of clientsoftware Madhav Diwan (Jan 09)
- Re: using flex response to block auto updates of clientsoftware Saad Kadhi (Jan 09)
- Re: using flex response to block auto updates of clientsoftware Madhav Diwan (Jan 09)
- Re: using flex response to block auto updates of client software Glenn Forbes Fleming Larratt (Jan 09)