[Snort-users] how to block an attacker.

Henry Sieff hsieff at ...519...
Wed Apr 4 11:42:43 EDT 2001


> -----Original Message-----
> From: Lance Spitzner [mailto:lance at ...185...]
> Sent: Tuesday, April 03, 2001 6:45 PM
> To: Hallawell, Samuel J
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] how to block an attacker.
> 
> 
> On Wed, 4 Apr 2001, Hallawell, Samuel J wrote:
> 
[SNIP]

> nmap -sS -D a.root-servers.net,(list all root servers) <your system>
> 

Ouch. Lance, you're evil!!!

If you did this (I toyed around with the idea by using a perl proggie
which would check for certain kinds of events and reconfigure my Cisco
ACL's based upon it) you would want to restrict yourself to actual
exploits where the source IP couldn't be spoofed without rooting your
routers.)

I haven't done this in a while; I grew uncomfortable with the idea of
automatic router reconfigs, but its not very hard (if your security
device has a decent way for you to pump configuration changes via a
command line).

Henry




More information about the Snort-users mailing list