[Snort-users] using flex response to block auto updates of clientsoftware
murphy at ...2931...
Wed Jan 9 11:44:09 EST 2002
I think that what Glenn was trying to say, was to block on src/dst host not
specifically on port.
For example, blocking whatever windowsupdate.microsoft.com resolves to.
There is very little chance that any "legitimate" outgoing traffic would
connect to *that* host.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Madhav
Sent: Wednesday, January 09, 2002 18:01
To: Glenn Forbes Fleming Larratt
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] using flex response to block auto updates of
I need to use snort to look at the packet content and block on that . I
cant simply block a port because the ports are in use for regular client
tasks ( ususally) and the updates may or may not go though them ..theres
no way to tell yet.
I would love to block the updates just using port blocking on my
firewalls there .. but i cant block ports without making the software
useless. This is where both snort's IDS and sniffing functions come to
> Glenn Forbes Fleming Larratt wrote:
> Um...why use flex response as opposed to simply blocking the traffic
> from the external host or hosts, using whatever firewall or other
> access control you have at your site? What you want to do seems more
> a firewall than an IDS task.
> On Wed, 9 Jan 2002, Madhav Diwan wrote:
> > I would like to put an IDS in place on a proxy server that handles
> > mainly tcp connections from several clients to a external service
> > provider running a tcp server over nonstandard ports.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users