Snort mailing list archives
Re: Easy web-server protection?
From: twig les <twigles () yahoo com>
Date: Wed, 29 Jan 2003 10:55:41 -0800 (PST)
You are describing a host-based firewall. That is not what snort is. You can alternatively check out the intrusion prevention thread from this list a few months ago. That went into some detail regarding host protection and even named some urls/products. --- velbloud <velbloud () yahoo com> wrote:
Hi guys, I was just wondering, if it was possible to install SNORT on a machine running Apache web-server and have it DROP or REJECT those packets containing cmd.exe, FFFFF, BBBBBB and whatever other crap. I am a newbie to the whole thing and I was playing with the SNORT a bit, but couldn't get it to refuse those packets. It did log them, but they still made it to the web-server. I am using the standart installation and .conf files and I just tried to add a rule to the local.rules: alert tcp any any -> 192.168.1.10/32 80 (msg: "no-way"; content: "cmd.exe";nocase; react: block,msg;) but I guess I didn't get it right. Is anything like that possible at all? My server is behind a firewall so I am not really worried about the flag states etc. Do I have to use any of the MySQL setups? I want to keep it simple. Any suggestions are greatly appreciated. Thanks. Libor __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
-------------------------------------------------------
This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Easy web-server protection? velbloud (Jan 29)
- Re: Easy web-server protection? twig les (Jan 29)
- Re: Easy web-server protection? Javier Liendo (Jan 29)
- <Possible follow-ups>
- Re:Easy web-server protection? Shaiful (Jan 29)
- Re: Re:Easy web-server protection? Eduardo Kita (Jan 30)
- RE: Re:Easy web-server protection? Bob McDowell (Jan 30)