[Snort-users] New to snort
sp0re at ...1708...
Mon Oct 1 16:11:03 EDT 2001
there is this capability..."active response" (session sniping) or through the
guardian scripts, which will put offending IP's in your block list in IP
chains/tables. This is a very sketchy way to operate, as you are basically
giving control of your firewall over to 'the bad guys'. Very easy way to dos
your net, if the attacker knows what you are doing.
It would be easier to set up snort to alert you, or put a higher rank on the
alert, so that you can choose to add the real offending IP's to a block list.
On Monday 01 October 2001 17:37, Johnno wrote:
> I am very new to snort.. only installed it a few days ago..
> what I want snort to do if it picks up
> alert tcp any any -> any 80
> (content:"cmd.exe";msg:"cmd.exe exploit";)
>it will drop the connection end of story...
More information about the Snort-users