[Snort-users] New to snort

Johnno valentine at ...3655...
Mon Oct 1 18:26:01 EDT 2001


so how would a go about  stopping the cmd.exe etc..  as these are hitting
the network about every 2-3 hours.. altho i am using linux.. i am finding it
a pain as my apache logs are filled up with this sort of junk...

I am wanting to stop it at the gateway computer so my logs don't get full of
this virus/hacker attempt.

because the ip changes all the time using a normal firewall it not going to
cut..  Then I was told about snort and how it could stop this junk getting
throw....

Many Thanks,
                        Johnno

----- Original Message -----
From: "Mike Poor" <sp0re at ...1708...>
To: "Johnno" <valentine at ...3655...>; <snort-users at lists.sourceforge.net>
Sent: Tuesday, 2 October 2001 11:09
Subject: Re: [Snort-users] New to snort


> Johnno,
>
> there is this capability..."active response" (session sniping) or through
the
> guardian scripts, which will put offending IP's in your block list in IP
> chains/tables.  This is a very sketchy way to operate, as you are
basically
> giving control of your firewall over to 'the bad guys'.  Very easy way to
dos
> your net, if the attacker knows what you are doing.
> It would be easier to set up snort to alert you, or put a higher rank on
the
> alert, so that you can choose to add the real offending IP's to a block
list.
>
> On Monday 01 October 2001 17:37, Johnno wrote:
> > I am very new to snort.. only installed it a few days ago..
> >
> > what I want snort to do if it picks up
> >
> > alert tcp any any -> any 80
> > (content:"cmd.exe";msg:"cmd.exe exploit";)
> >it will drop the connection end of story...





More information about the Snort-users mailing list