[Snort-users] Using resp against a virus -> LaBrea plugin?

Frank Knobbe fknobbe at ...652...
Tue Jul 9 20:24:02 EDT 2002


On Tue, 2002-07-09 at 21:39, Jeff Kell wrote:
> Michael Boman wrote:
> > 
> > On Wednesday 10 July 2002 05:39, Jeremy wrote:
> > >
> > >    I was just curious if resp could be used to reset the connection when an
> > > email virus matches a rule. For example we get tons of Klez matches on our
> > > external snort box and I was wondering if we could use resp to reset the
> > > connection before it hits the smtp server.
> > 
> > If you reset the SMTP transmission the SMTP server on the other end will try
> > again and again and again... You get the idea...
> > 
> > <rant>
> > Viruses should be stopped by a ANTI VIRUS software, NOT with a IDS software.
> 
> Oh, I don't know, there's a certain satisfaction in tying up the sender
> SMTP and adding to their outbound queue...


Man! You just gave me an idea. How about a LaBrea plugin for Snort so
that if a connection matches a signature, the connection will just be
kept hanging like LaBrea does it! That oughta take care of viruses and
worms alike...

Frank


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 350 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020709/e450173d/attachment.sig>


More information about the Snort-users mailing list