[Snort-users] Flex-Response, anyone using it?

James Riden j.riden at ...11179...
Thu May 20 12:53:18 EDT 2004


<CGhercoias at ...8619...> writes:

> Here you go:
>
> alert any $EXTERNAL_NET any -> $HOME_NET 25 ( sid: 1000589; rev: 1; msg:
> "Drop Email -- Waste of time"; content: "billygates_sux at ...125...";
> content: "IDont ThinkSo"; resp: rst_snd,icmp_all; classtype:
> bothering-activity;) 

Incidentally, this is a great example of how not to use snort - much
better to drop the message at the MUA, or on the MX if it's a
site-wide issue.

That's one of the dangers of using flexresp - you've got a big hammer
so you're tempted to go looking for things that look like nails.

-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





More information about the Snort-users mailing list