[Snort-users] Using resp against a virus

Jeff Kell jeff-kell at ...6282...
Tue Jul 9 19:40:02 EDT 2002

Michael Boman wrote:
> On Wednesday 10 July 2002 05:39, Jeremy wrote:
> >
> >    I was just curious if resp could be used to reset the connection when an
> > email virus matches a rule. For example we get tons of Klez matches on our
> > external snort box and I was wondering if we could use resp to reset the
> > connection before it hits the smtp server.
> If you reset the SMTP transmission the SMTP server on the other end will try
> again and again and again... You get the idea...
> <rant>
> Viruses should be stopped by a ANTI VIRUS software, NOT with a IDS software.

Oh, I don't know, there's a certain satisfaction in tying up the sender
SMTP and adding to their outbound queue...


More information about the Snort-users mailing list