[Snort-users] using flex response to block auto updates of client software

Madhav Diwan mdiwan at ...200...
Wed Jan 9 07:37:12 EST 2002


 Hi everyone..

 I was wondering if this was possible. And if so how would i go about
doing it.. as in setting up the rule and testing whether it would work.

 I would like to put an IDS in place on a proxy server that handles
mainly tcp connections from several clients to a external service
provider running a tcp server over nonstandard ports.

 This/these server/s  i dont know if there is one or many .. autoupdates
the client software on the internal windows/nt machines .. without
notification or requesting authorization from the admin or user of the
client machine.

I want to set up a system using flex response to block auto updates of
client software, untill the local lan admin says its ok fro the auto
update to occur.

Also .. will there be any problem setting up snort 1.8.3 rpm on a RedHat
6.2 box ( my proxy server)?


I know the port numbers and the mac numbers involved , i can tcpdump the
traffic and get a look at the content of the packets .. but its hard to
know what to look for , especially as we dont know what things are
getting updated or when .. we do know that some dll's and exe files get
updated.  ( plus there is a chance that the traffic between client and
server is encrypted with the softwares own scheme)

what should i look for so i can create the right signature?

Thank you

Madhav Diwan




More information about the Snort-users mailing list