Brian Caswell wrote:
So, I don't see much discussion about these rules. Heck, I don't think
I've seen any. What is the point in these rules?
To drop inbound attacks from dshield listed hosts, and to detect
outbound traffic to them. (outbound has turned out to be more
interesting actually)
Snort can do many things, in fact, if I care to update a plugin I wrote
many many many years ago, it can even make coffee... but why make Snort
a firewall? Wouldn't it be much faster to have the firewall do this
work, not Snort?
Mostly because these update very often, hourly if you like. We already
have an automated way to push sigs to many places, we don't have an
automated way to push firewall rules to many devices on a daily/hourly
basis.
In our case, we don't review all firewall logs in realtime, and wouldn't
necessarily notice these log entries among the noise.
So it's a very easy way to get this pushed, and to easily see hits on it
through existing channels.
Matt
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------
:wq
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
