[Snort-users] Code Red attacks

Randy Bradley bradley at ...3438...
Tue Sep 18 06:17:07 EDT 2001


>
>Or simpler, block them at the router.  ;-)
>


Erek,

   I also have had just about enough CR alerts and was thinking along 
those lines.  Can you share an example?  I am thinking of adding 
these lines to my access-group in list:

permit tcp any "my.web.server.ip" eq 80
deny tcp any any eq 80 log

   NIDS would still see CR attacks on valid servers but this should 
stop the probes on invalid servers.  Any thoughts?

Randy



-- 

******************************************************************************
Randy Bradley | Systems Analyst | US Meat Animal Research Center | Clay Center
Computer Spec.| 402-762-4156    | bradley at ...3438...    | Nebraska
******************************************************************************




More information about the Snort-users mailing list