[Dshield] PHP attacks (was Re:Destructive botnet originating from Japan]

David Cary Hart DShield at TQMcube.com
Tue Dec 27 19:46:52 GMT 2005


On Sun, 25 Dec 2005 15:21:23 -0500
David Cary Hart <DShield at tqmcube.com> opined:
> On Sat, 24 Dec 2005 18:07:55 -0600
> Frank Knobbe <frank at knobbe.us> opined:
> > 
> > I wrote a quick hack the other day to import these type of events and
> > have Snortsam block these hosts automatically. Let me know if you want a
> > copy of that particular feed.
> > 
> Also, see the adaptive firewall tutorial from today's rss feed:
> http://isc.sans.org/diary.php?rss&storyid=962
> 
> I just posted a couple of apparent "corrections."
> 
> I also wanted to retain unique log identification which precludes putting the
> three rules into a chain. To simplify this, I created a list of trigger words
> in file "keys" and then used the following script to create a script to enter
> the rules in one shot. This could be done with a single script but I wanted to
> review the rules first.

In the way of follow-up, while "string" was recently moved from POM to IPT
1.34, it is difficult to control (no RegEx) and gets expensive in bandwidth
consumption. In addition, I find "recent" rather troublesome.

Thus, after experimenting, I reverted back to Swatch while using ATD to remove
rules after 30 minutes, These consume no bandwidth and keep the INPUT table
nicely trimmed. Even though the first packet isn't rejected or dropped, I
suspect that it is still more economical.


More information about the list mailing list