[Snort-users] using flex response to block auto updates of clientsoftware

Saad Kadhi bsdguy at ...4401...
Wed Jan 9 12:10:38 EST 2002


On Wed, 2002-01-09 at 18:00, Madhav Diwan wrote:
> I need to use snort to look at the packet content and block on that . I
> cant simply block a port because the ports are in use for regular client
> tasks ( ususally) and the updates may or may not go though them ..theres
> no way to tell yet.
> 
> I would love to block the updates just using port blocking on my
> firewalls there .. but i cant block ports without making the software
> useless. This is where both snort's IDS and sniffing functions come to
> play together.
well using flexresp for this type of task may lead to a truckload of
problems & bundled headaches. To my knowledge, flexresp is not _that_
stable. If I were you & if the update software use http or the likes,
you can transparently redirect it to a dansguardian box & block it
there. This is a task for the firewall or for a content filtering
software.

my 0.02 euros.
 
> 
> Madhav.
> 
> 
> > Glenn Forbes Fleming Larratt wrote:
> > 
> > Um...why use flex response as opposed to simply blocking the traffic
> > from the external host or hosts, using whatever firewall or other
> > access control you have at your site? What you want to do seems more
> > a firewall than an IDS task.
> > 
> >         -g
> > 
> > On Wed, 9 Jan 2002, Madhav Diwan wrote:
> > 
> > >  I would like to put an IDS in place on a proxy server that handles
> > > mainly tcp connections from several clients to a external service
> > > provider running a tcp server over nonstandard ports.
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
-- 
/Saad --  [bsdguy at ...4401...] 
[pgp keyid: 35592A6D http://pgp.mit.edu]
# buy a geek-in-a-can, point nozzle at technical problem and spray
# if desesperate degauss your screen. it might solve your pb as well





More information about the Snort-users mailing list