[Snort-users] Code Red attacks

Alec Waters alec.waters at ...645...
Tue Sep 18 08:53:06 EDT 2001


Hi Randy,


> permit tcp any "my.web.server.ip" eq 80
> deny tcp any any eq 80 log
>
>    NIDS would still see CR attacks on valid servers but this should
> stop the probes on invalid servers.  Any thoughts?

If your router platform supports NBAR, you can even stop Code Red from reaching
valid servers altogether. Take a look at this:

http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

It works a treat for me.

alec
--
Alec Waters
Dataline Software Ltd
Clarence House, 30-31 North Street, Brighton, BN1 1EB, UK

Tel: +44 (0)1273 324939
Fax: +44 (0)1273 205576
www: http://www.dataline.co.uk
wap: http://wap.dataline.co.uk





More information about the Snort-users mailing list