[Snort-users] Code Red attacks

Erek Adams erek at ...577...
Tue Sep 18 09:04:05 EDT 2001

On Tue, 18 Sep 2001, Randy Bradley wrote:

>    I also have had just about enough CR alerts and was thinking along
> those lines.  Can you share an example?  I am thinking of adding
> these lines to my access-group in list:
> permit tcp any "my.web.server.ip" eq 80
> deny tcp any any eq 80 log
>    NIDS would still see CR attacks on valid servers but this should
> stop the probes on invalid servers.  Any thoughts?

Should work fine.  I'm sure Cisco has a handy-dandy guide on how to setup
those filters.  They got slammed with CR on some of the DSL routers.  Surf
the site and see what you can turn up.

Erek Adams

More information about the Snort-users mailing list