[tech] Snort: should we block attacking hosts?
Anil Sharma
maset at ucc.asn.au
Tue Feb 21 00:16:28 WST 2012
I'm not a computer scientist, but ...
If blocking these hosts is trivial to automate, I'm all for it. It
means we also block attacks coming from them that we can't detect.
On 20 February 2012 23:04, Grahame Bowland <grahame at angrygoats.net> wrote:
> Hey
>
> Do you care about MS-SQL attacks? Seems like it's probably wasted effort.
>
> On 20 February 2012 22:59, Daniel Axtens <danielax at gmail.com> wrote:
>>
>> Greetings!
>>
>> Perusal of the daily snort emails shows that much of the alerts are
>> generated by a relatively small number of hosts, mostly trying to propagate
>> some sort of MS-SQL worm.
>>
>> What are people's opinions on setting up fail2ban to drop traffic coming
>> from hosts who send lots of known-bad traffic?
>>
>> The obvious downside is potential DOS on valid users. How big is this risk
>> and do we care?
>>
>> Thanks in advance,
>> -- d
>
>
More information about the tech
mailing list