[Snort-users] Code Red attacks

Adrian Mink adrian at ...3493...
Tue Sep 18 10:09:03 EDT 2001

I have already done exactly that, for the same reasons. It works


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erek Adams
Sent: Tuesday, September 18, 2001 11:04 AM
To: Randy Bradley
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Code Red attacks

On Tue, 18 Sep 2001, Randy Bradley wrote:

>    I also have had just about enough CR alerts and was thinking along
> those lines.  Can you share an example?  I am thinking of adding
> these lines to my access-group in list:
> permit tcp any "my.web.server.ip" eq 80
> deny tcp any any eq 80 log
>    NIDS would still see CR attacks on valid servers but this should
> stop the probes on invalid servers.  Any thoughts?

Should work fine.  I'm sure Cisco has a handy-dandy guide on how to setup
those filters.  They got slammed with CR on some of the DSL routers.  Surf
the site and see what you can turn up.

Erek Adams

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list