Snort mailing list archives
Flexible response
From: Paul Enlund <paul () uactech co uk>
Date: Wed, 19 Sep 2001 16:57:56 +0100
I am testing an extension to sp_respond.c which allows a new response directive "block_peer" to be specified.On being called from within web-iis rules which catch this latest CR type exploit snort forks a background script. This script is passed the peer's IP address. In my
case I am simply blocking the peers access to port 80. sleeping for 20 seconds then clearing the block. The effect is to greatly reduce the IP traffic and server logs. Anybody interested in the changes to sp_respond.c is welcome if they drop me a line. PE -- +------------------------------------------------------------------+ | UAC Technology: OS9/OS9000 software services & support | | Information: www.uactech.co.uk | | Email: paul () uactech co uk | | Telephone: +44 (0)191 4565970 Fax +44 (0) 8700549430 | +------------------------------------------------------------------+ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flexible response Paul Enlund (Sep 19)