Snort mailing list archives
Re: Question about Alerts
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 28 Oct 2002 13:09:51 -0500
Yes there are tools to do what you suggest, I'd try looking up hogwash.I'd also strongly suggest not doing dynamic blocks on SMTP traffic, as you've suggested here.
The mailserver attempting to deliver the mail will repeatedly attempt delivery for several days, and you're going to wind up occasionally blocking whole ISPs (yes, klez does sometimes arrive from a "legitimate" mailserver for an ISP, I've gotten two such klez emails in the past 5 days.)
Since you're not going to want to be blocking a whole ISP for several days, you'll wind up having to manually clear the block, at which point the mailserver will retry all the spooled email it has for your server. This will most likely start with the oldest mail, which will be the klez containing one, causing them to be blocked again.
If you don't have a virus scanner for your mailserver, snort is a lousy substitute.
At 10:37 AM 10/28/2002 -0700, Joe Giles wrote:
I think I have seen this question before, but I'll ask again. Is there anyway to incorporate Snort with IPTABLES is order to drop selected ip's that generate an alert? Example: I get a KLEZ incoming alert. I would like to have that passed to IPTABLES to DROP that IP address long enough to not allow the virus to get transfered, then reopen the IP till the next alert. Or something along those lines.. Thoughts? Thanks Joe ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about Alerts Joe Giles (Oct 28)
- Re: Question about Alerts Matt Kettler (Oct 28)
- <Possible follow-ups>
- RE: Question about Alerts Miller, Eoin (Oct 28)
- RE: Question about Alerts Joe Giles (Oct 28)