Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Code Red attacks

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 18 Sep 2001 09:03:32 -0700 (PDT)
On Tue, 18 Sep 2001, Randy Bradley wrote:


   I also have had just about enough CR alerts and was thinking along
those lines.  Can you share an example?  I am thinking of adding
these lines to my access-group in list:

permit tcp any "my.web.server.ip" eq 80
deny tcp any any eq 80 log

   NIDS would still see CR attacks on valid servers but this should
stop the probes on invalid servers.  Any thoughts?


Should work fine.  I'm sure Cisco has a handy-dandy guide on how to setup
those filters.  They got slammed with CR on some of the DSL routers.  Surf
the site and see what you can turn up.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: