[Snort-users] Humour- Things not to do with your IDS

A.L.Lambert alambert at ...387...
Tue Nov 14 08:41:17 EST 2000


or my (so far) worst fubar...

alert yada yada (msg: "I detected Blah"; content: "Blah";)

	While output to syslog is on, and syslog is also logging to a
remote host for redundancy... (snort picks up every syslog packet going
out, and generates an alert, which sends another syslog packet, etc.)

	I was not proud of myself that day. :)

	--A.L.Lambert

> could be worse, you could of had a rule like:
> 
> log tcp any any <> $HOME_NET any  (session: all;)
> 
> Adrian
> ----- Original Message -----
> From: "andy lowton" <andy at ...586...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Monday, November 13, 2000 3:21 PM
> Subject: [Snort-users] Humour- Things not to do with your IDS
> 
> 
> > Nevr temporarily let someone through your firewall to pull a huge file by
> > putting in a temporary snort rule to detect their IP, ..............and
> > then forgetting to take out the rule before they pull the file.
> >
> > All together now.......DOH!
> >
> > l8z
> >
> > andy




More information about the Snort-users mailing list