[Snort-users] Easy web-server protection?

Javier Liendo javier at ...7920...
Wed Jan 29 11:39:05 EST 2003


depending on the resources you have available there
are two options that works fine...the first one is to
put a hogwash machine (http://hogwash.sourceforge.net)
in front of your web server and to configure it to
drop all the packets that come with a cmd.exe or
whatever other attributes you may be interested
in(cons: if your hogwash device goes down, your web
server becomes unavailable) and a second option that
have worked for me is to use snort compiled with the
flexresp option and to rst_all/rst_snd/rst_rcv the
packets containing in the url "cmd.exe" (or for that
matter, any other attribute)...



--- velbloud <velbloud at ...131...> wrote:
> Hi guys,
> I was just wondering, if it was possible to install
> SNORT on a machine running Apache web-server and
> have
> it DROP or REJECT those packets containing cmd.exe,
> FFFFF, BBBBBB and whatever other crap. I am a newbie
> to the whole thing and I was playing with the SNORT
> a
> bit, but couldn't get it to refuse those packets. It
> did log them, but they still made it to the
> web-server.
> I am using the standart installation and .conf files
> and I just tried to add a rule to the local.rules:
> alert tcp any any -> 80 (msg:
> "no-way"; content: "cmd.exe";nocase; react:
> block,msg;)
> but I guess I didn't get it right. Is anything like
> that possible at all? My server is behind a firewall
> so I am not really worried about the flag states
> etc.
> Do I have to use any of the MySQL setups? I want to
> keep it simple.
> Any suggestions are greatly appreciated.
> Thanks.
> Libor
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> http://mailplus.yahoo.com
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld =
> Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
> Snort-users list archive:

More information about the Snort-users mailing list