[Snort-users] using flex response to block auto updates of clientsoftware

Murphy murphy at ...2931...
Wed Jan 9 11:44:09 EST 2002


I think that what Glenn was trying to say, was to block on src/dst host not
specifically on port.
For example, blocking whatever windowsupdate.microsoft.com resolves to.
There is very little chance that any "legitimate" outgoing traffic would
connect to *that* host.

Murphy.



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Madhav
Diwan
Sent: Wednesday, January 09, 2002 18:01
To: Glenn Forbes Fleming Larratt
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] using flex response to block auto updates of
clientsoftware


I need to use snort to look at the packet content and block on that . I
cant simply block a port because the ports are in use for regular client
tasks ( ususally) and the updates may or may not go though them ..theres
no way to tell yet.

I would love to block the updates just using port blocking on my
firewalls there .. but i cant block ports without making the software
useless. This is where both snort's IDS and sniffing functions come to
play together.

Madhav.


> Glenn Forbes Fleming Larratt wrote:
>
> Um...why use flex response as opposed to simply blocking the traffic
> from the external host or hosts, using whatever firewall or other
> access control you have at your site? What you want to do seems more
> a firewall than an IDS task.
>
>         -g
>
> On Wed, 9 Jan 2002, Madhav Diwan wrote:
>
> >  I would like to put an IDS in place on a proxy server that handles
> > mainly tcp connections from several clients to a external service
> > provider running a tcp server over nonstandard ports.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list