Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Antwort: Re: Blocking not friendly traffic

From: ks () schuricht de
Date: Tue, 7 Aug 2001 09:14:44 +0200

Hi Ralf,


Nothing ... After some time my IIS5+Index server again infected.
Question: with snort I can block this traffic or not? Or I must
use normal firewall (like Firewall-1 or other firewall)???



If the alert is triggered, the packet already infected your machine.
So there's little you can do. Normal firewall won't help, because it's
legitimate traffic (the point of a webserver is to server webpages!)


I write a litte c-program that scans snort-logfiles all 15 minutes
for several attacks. If we detect portscan, CodeReds a.s.o. the program
rejects tcp/udp/icmptraffic for all 'enemy' hosts found (means: inserts
a ipchains-Rules). It's a bit like guardian.



Best regards,
  Kai.
--
Abt. eBusiness / Entwicklung
D. Schuricht GmbH & Co. KG
http://www.schuricht.de



                                                                                                              
                    Ralf Hildebrandt                                                                          
                    <Ralf.Hildebrandt@innominate.        An:     Snort-users () lists sourceforge net            
                    com>                                 Kopie:                                               
                    Gesendet von:                        Thema:  Re: [Snort-users] Blocking not friendly      
                    snort-users-admin@lists.sourc        traffic                                              
                    eforge.net                                                                                
                                                                                                              
                                                                                                              
                    07.08.01 08:20                                                                            
                                                                                                              
                                                                                                              




On Tue, Aug 07, 2001 at 12:47:56PM +0700, ??????? ??????? wrote:


Nothing ... After some time my IIS5+Index server again infected.
Question: with snort I can block this traffic or not? Or I must
use normal firewall (like Firewall-1 or other firewall)???


If the alert is triggered, the packet already infected your machine.
So there's little you can do. Normal firewall won't help, because it's
legitimate traffic (the point of a webserver is to server webpages!)

If you want servers that work, stay up, perform, and aren't rooted
every other second, use Apache on OpenBSD.

--
ralf.hildebrandt () innominate com                            innominate AG
Technical Consultant                   Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: