[Snort-users] Using resp against a virus -> LaBrea plugin?
fknobbe at ...652...
Tue Jul 9 20:24:02 EDT 2002
On Tue, 2002-07-09 at 21:39, Jeff Kell wrote:
> Michael Boman wrote:
> > On Wednesday 10 July 2002 05:39, Jeremy wrote:
> > >
> > > I was just curious if resp could be used to reset the connection when an
> > > email virus matches a rule. For example we get tons of Klez matches on our
> > > external snort box and I was wondering if we could use resp to reset the
> > > connection before it hits the smtp server.
> > If you reset the SMTP transmission the SMTP server on the other end will try
> > again and again and again... You get the idea...
> > <rant>
> > Viruses should be stopped by a ANTI VIRUS software, NOT with a IDS software.
> Oh, I don't know, there's a certain satisfaction in tying up the sender
> SMTP and adding to their outbound queue...
Man! You just gave me an idea. How about a LaBrea plugin for Snort so
that if a connection matches a signature, the connection will just be
kept hanging like LaBrea does it! That oughta take care of viruses and
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 350 bytes
Desc: This is a digitally signed message part
More information about the Snort-users