[Snort-users] Code Red attacks

Greg Wright greg.wright at ...1968...
Mon Sep 17 16:57:01 EDT 2001

I liked the idea of configuring the server to return data to an exploited
system that will patch the hole, however the potential legality issues
frighten me, however I wonder...

Isn't it possibly a little convoluted in that the exploited system that you
are 'putting' data on is actually requesting *something* from your server
initially. The action of 'putting data' is the serving of a request
initiated by the infected system.

If you were to put data on your web server system that stops CodeRed, and an
affected box attempted to scan for and pass a request to your server, then
the data that it passes back was not sent directly, but sent in response to
a request.

What is the general opinion on this?

Greg Wright

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...] 
Sent: Tuesday, 18 September 2001 8:22 AM
To: Jason Withrow
Cc: 'Gordon Ewasiuk'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Code Red attacks

On Mon, 17 Sep 2001, Jason Withrow wrote:

> What is the legal issue, it is a purely defensive mechanism.

Well...  I'm not a lawyer, but:  You're doing _something_ to someone elses
machine--Uninvited.  That in and of itself can put you in a lot of legal
hotwater, depending on the remote sites security policy.  Now, I'm not
the morality of what you're doing, or what you intend to do, but the act of
accessing someone elses stuff without consent puts you into the same class
a 'hacker' in a lot of corportate security policy eyes.

Instead, "Do the Right Thing".  :)  Anyone from your local subnets, give
a call.  Most of the CR{I,II,III} tend to target the local subnets over
ones.  A quick use of whois and traceroute will usually give you a fair idea
of where someone is at physically.

Or simpler, block them at the router.  ;-)

Erek Adams

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010917/2c226470/attachment.html>

More information about the Snort-users mailing list