[Snort-users] how to block an attacker.
gbinder at ...462...
Wed Apr 4 12:28:15 EDT 2001
Henry Sieff on Wed, Apr 04, 2001 at 10:42:43AM -0500:
> If you did this (I toyed around with the idea by using a perl proggie
> which would check for certain kinds of events and reconfigure my Cisco
> ACL's based upon it) you would want to restrict yourself to actual
> exploits where the source IP couldn't be spoofed without rooting your
using nemesis or something like it, you could produce a lot of packets
that trigger all kinds of different snort rules, and spoof the source
address with no problem. Doing some stateful filtering in front of your
sensor would help a little bit.
Gregor Binder <gregor.binder at ...462...> http://sysfive.com/
sysfive.com GmbH UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55
More information about the Snort-users