[tech] Snort: should we block attacking hosts?
Matt Johnston
matt at ucc.asn.au
Tue Feb 21 09:47:02 WST 2012
Isn't all that rubbish already firewalled though?
Matt
On Tue, Feb 21, 2012 at 12:16:28AM +0800, Anil Sharma wrote:
> I'm not a computer scientist, but ...
>
> If blocking these hosts is trivial to automate, I'm all for it. It
> means we also block attacks coming from them that we can't detect.
>
> On 20 February 2012 23:04, Grahame Bowland <grahame at angrygoats.net> wrote:
> > Hey
> >
> > Do you care about MS-SQL attacks? Seems like it's probably wasted effort.
> >
> > On 20 February 2012 22:59, Daniel Axtens <danielax at gmail.com> wrote:
> >>
> >> Greetings!
> >>
> >> Perusal of the daily snort emails shows that much of the alerts are
> >> generated by a relatively small number of hosts, mostly trying to propagate
> >> some sort of MS-SQL worm.
> >>
> >> What are people's opinions on setting up fail2ban to drop traffic coming
> >> from hosts who send lots of known-bad traffic?
> >>
> >> The obvious downside is potential DOS on valid users. How big is this risk
> >> and do we care?
> >>
> >> Thanks in advance,
> >> -- d
> >
> >
More information about the tech
mailing list