[Snort-users] Code Red attacks

Jason Withrow jwithrow at ...422...
Mon Sep 17 17:12:14 EDT 2001


I like it.
 
It makes complete sense to me.
 
- Jason
 
 
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Greg
Wright
Sent: Monday, September 17, 2001 7:56 PM
To: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Code Red attacks
 
I liked the idea of configuring the server to return data to an
exploited system that will patch the hole, however the potential
legality issues frighten me, however I wonder...
Isn't it possibly a little convoluted in that the exploited system that
you are 'putting' data on is actually requesting *something* from your
server initially. The action of 'putting data' is the serving of a
request initiated by the infected system.
If you were to put data on your web server system that stops CodeRed,
and an affected box attempted to scan for and pass a request to your
server, then the data that it passes back was not sent directly, but
sent in response to a request.
What is the general opinion on this? 
Regards, 
Greg Wright 
-----Original Message----- 
From: Erek Adams [mailto:erek at ...577...] 
Sent: Tuesday, 18 September 2001 8:22 AM 
To: Jason Withrow 
Cc: 'Gordon Ewasiuk'; snort-users at lists.sourceforge.net 
Subject: RE: [Snort-users] Code Red attacks 
On Mon, 17 Sep 2001, Jason Withrow wrote: 
> What is the legal issue, it is a purely defensive mechanism. 
Well...  I'm not a lawyer, but:  You're doing _something_ to someone
elses 
machine--Uninvited.  That in and of itself can put you in a lot of legal

hotwater, depending on the remote sites security policy.  Now, I'm not
arguing 
the morality of what you're doing, or what you intend to do, but the act
of 
accessing someone elses stuff without consent puts you into the same
class as 
a 'hacker' in a lot of corportate security policy eyes. 
Instead, "Do the Right Thing".  :)  Anyone from your local subnets, give
them 
a call.  Most of the CR{I,II,III} tend to target the local subnets over
remote 
ones.  A quick use of whois and traceroute will usually give you a fair
idea 
of where someone is at physically. 
Or simpler, block them at the router.  ;-) 
----- 
Erek Adams 
Nifty-Type-Guy 
TheAdamsFamily.Net 
 
_______________________________________________ 
Snort-users mailing list 
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010917/2bc5d886/attachment.html>


More information about the Snort-users mailing list