[Snort-sigs] Bleedingsnort.com Daily Update

Matt Jonkman mjonkman at ...2436...
Tue Mar 14 05:25:06 EST 2006


Brian Caswell wrote:
> 
> So, I don't see much discussion about these rules.  Heck, I don't think
> I've seen any.  What is the point in these rules?

To drop inbound attacks from dshield listed hosts, and to detect
outbound traffic to them. (outbound has turned out to be more
interesting actually)

> 
> Snort can do many things, in fact, if I care to update a plugin I wrote
> many many many years ago, it can even make coffee... but why make Snort
> a firewall?  Wouldn't it be much faster to have the firewall do this
> work, not Snort?

Mostly because these update very often, hourly if you like. We already
have an automated way to push sigs to many places, we don't have an
automated way to push firewall rules to many devices on a daily/hourly
basis.

In our case, we don't review all firewall logs in realtime, and wouldn't
necessarily notice these log entries among the noise.

So it's a very easy way to get this pushed, and to easily see hits on it
through existing channels.

Matt

--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------




:wq




More information about the Snort-sigs mailing list