[Snort-users] New to snort

Mike Poor sp0re at ...1708...
Mon Oct 1 16:11:03 EDT 2001


Johnno,

there is this capability..."active response" (session sniping) or through the 
guardian scripts, which will put offending IP's in your block list in IP 
chains/tables.  This is a very sketchy way to operate, as you are basically 
giving control of your firewall over to 'the bad guys'.  Very easy way to dos 
your net, if the attacker knows what you are doing.
It would be easier to set up snort to alert you, or put a higher rank on the 
alert, so that you can choose to add the real offending IP's to a block list.

On Monday 01 October 2001 17:37, Johnno wrote:
> I am very new to snort.. only installed it a few days ago..
>
> what I want snort to do if it picks up
>
> alert tcp any any -> any 80
> (content:"cmd.exe";msg:"cmd.exe exploit";)
>it will drop the connection end of story...




More information about the Snort-users mailing list