Hosting Provided By

Re: Snort-Inline and worm containment

From: Lance Spitzner <lance(at)honeynet.org>
Date: Wed Jan 29 2003 - 18:21:33 EST

On 28 Jan 2003, Tom McLaughlin wrote:

> The recent Slammer worm made me think a little about using Snort-Inline

The Honeynet Project has been doing some playing with this. What can potentially block this type of inbound (or outbound) activity is not only the matching rule, but the scanning. The portscan preprocessor can detect scanning activity. If a worm were to meet this criteria, the portscan preprocessor can be used to block it. We already tested this with the fnord preprocessor.

As I said, we are just in the initial testing of using not only rules, but preprocessors for blocking malicious activity.

lance Received on Fri Jan 31 11:24:51 2003

This message: [ Message body ]
Next message: Mike Barkett: "Re: SQLSlammer Worm & IDSs"
Previous message: David W. Goodrum: "Re: VDS FAQ - request for feedback"
In reply to Tom McLaughlin: "Snort-Inline and worm containment"
Next in thread: Rob Shein: "RE: Snort-Inline and worm containment"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:08 EDT