[Snort-users] Code Red attacks

Alec Waters alec.waters at ...645...
Tue Sep 18 08:53:06 EDT 2001

Hi Randy,

> permit tcp any "my.web.server.ip" eq 80
> deny tcp any any eq 80 log
>    NIDS would still see CR attacks on valid servers but this should
> stop the probes on invalid servers.  Any thoughts?

If your router platform supports NBAR, you can even stop Code Red from reaching
valid servers altogether. Take a look at this:


It works a treat for me.

Alec Waters
Dataline Software Ltd
Clarence House, 30-31 North Street, Brighton, BN1 1EB, UK

Tel: +44 (0)1273 324939
Fax: +44 (0)1273 205576
www: http://www.dataline.co.uk
wap: http://wap.dataline.co.uk

More information about the Snort-users mailing list