[Snort-users] Using resp against a virus

Jeremy prrthd at ...4180...
Tue Jul 9 17:34:04 EDT 2002


Hello all,

   I was just curious if resp could be used to reset the connection when an email virus matches a rule. For example we get tons of Klez matches on our external snort box and I was wondering if we could use resp to reset the connection before it hits the smtp server. We do have anti-virus on the SMTP server so it does catch Klez and sanitize the email, but it would be nice to take some load off that server by reseting the connection before it even got that far. I was not sure how tearing down the connection would affect the Source SMTP server, would it keep trying to send the email or would it be stopped in its tracks.

Please CC me any responses since I am not currently on this list.

Thanks,
  Jeremy





More information about the Snort-users mailing list