31 Jan 2002 11:42:30 +0000
> I was planning on using this in conjunction with snort but now maybe I will
> just use snort. I cannot use a proxy server, but I absolutly have to block
> these packets. Im well aware that if I block the packet containing the
> cmd.exe ot root.exe string I will have a open tcp connection on the server
> that will not close till it times out. So I was going to use snort ot send a
> tcp RST to that machine. What I did not want to do was have snort setting up
> 2000 Ip blocks in a few minutes for different IPs. So I was going to use the
> string match to block the packet with the string in it and reset the TCP
> connection on my end leaving it hung open on the sending hosts end.
Why don't you use snort-iptables?
It filters packets and you can get it to reset the connection as well.