Snort mailing list archives
Re: using flex response to block auto updates of clientsoftware
From: Madhav Diwan <mdiwan () wagweb com>
Date: Wed, 09 Jan 2002 16:11:28 -0500
if only things were that simple.. traffic is allowed to and from the server subnet ..not from specific servers , the control is mainly on what ports are allowed into my lan from their subnet. There is no way to tell what servers PUSH the updates without logging for a month of two. ... Therefore i must rely on packet content and hope i get lucky. madhav
Murphy wrote: I think that what Glenn was trying to say, was to block on src/dst host not specifically on port. For example, blocking whatever windowsupdate.microsoft.com resolves to. There is very little chance that any "legitimate" outgoing traffic would connect to *that* host. Murphy. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Madhav Diwan Sent: Wednesday, January 09, 2002 18:01 To: Glenn Forbes Fleming Larratt Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] using flex response to block auto updates of clientsoftware I need to use snort to look at the packet content and block on that . I cant simply block a port because the ports are in use for regular client tasks ( ususally) and the updates may or may not go though them ..theres no way to tell yet. I would love to block the updates just using port blocking on my firewalls there .. but i cant block ports without making the software useless. This is where both snort's IDS and sniffing functions come to play together. Madhav.Glenn Forbes Fleming Larratt wrote: Um...why use flex response as opposed to simply blocking the traffic from the external host or hosts, using whatever firewall or other access control you have at your site? What you want to do seems more a firewall than an IDS task. -g On Wed, 9 Jan 2002, Madhav Diwan wrote:I would like to put an IDS in place on a proxy server thathandlesmainly tcp connections from several clients to a external service provider running a tcp server over nonstandard ports._______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- using flex response to block auto updates of client software Madhav Diwan (Jan 09)
- Re: using flex response to block auto updates of client software Glenn Forbes Fleming Larratt (Jan 09)
- Re: using flex response to block auto updates of clientsoftware Madhav Diwan (Jan 09)
- using flex response to block auto updates of clientsoftware Murphy (Jan 09)
- Re: using flex response to block auto updates of clientsoftware Madhav Diwan (Jan 09)
- Re: using flex response to block auto updates of clientsoftware Saad Kadhi (Jan 09)
- Re: using flex response to block auto updates of clientsoftware Madhav Diwan (Jan 09)
- Re: using flex response to block auto updates of client software Glenn Forbes Fleming Larratt (Jan 09)