[Snort-users] using flex response to block auto updates of clientsoftware

Madhav Diwan mdiwan at ...200...
Wed Jan 9 13:12:02 EST 2002


if only things were that simple..  traffic is allowed to and from the
server subnet ..not from specific servers , the control is mainly on
what ports are allowed into my lan from their subnet. There is no way to
tell what servers PUSH the updates without logging for a month of two.
... Therefore i must rely on packet content and hope i get lucky.

madhav


> Murphy wrote:
> 
> I think that what Glenn was trying to say, was to block on src/dst
> host not
> specifically on port.
> For example, blocking whatever windowsupdate.microsoft.com resolves
> to.
> There is very little chance that any "legitimate" outgoing traffic
> would
> connect to *that* host.
> 
> Murphy.
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Madhav
> Diwan
> Sent: Wednesday, January 09, 2002 18:01
> To: Glenn Forbes Fleming Larratt
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] using flex response to block auto updates
> of
> clientsoftware
> 
> I need to use snort to look at the packet content and block on that .
> I
> cant simply block a port because the ports are in use for regular
> client
> tasks ( ususally) and the updates may or may not go though them
> ..theres
> no way to tell yet.
> 
> I would love to block the updates just using port blocking on my
> firewalls there .. but i cant block ports without making the software
> useless. This is where both snort's IDS and sniffing functions come to
> play together.
> 
> Madhav.
> 
> > Glenn Forbes Fleming Larratt wrote:
> >
> > Um...why use flex response as opposed to simply blocking the traffic
> > from the external host or hosts, using whatever firewall or other
> > access control you have at your site? What you want to do seems more
> > a firewall than an IDS task.
> >
> >         -g
> >
> > On Wed, 9 Jan 2002, Madhav Diwan wrote:
> >
> > >  I would like to put an IDS in place on a proxy server that
> handles
> > > mainly tcp connections from several clients to a external service
> > > provider running a tcp server over nonstandard ports.
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list