Now_that's_what_i_call_quite_good!

title: Now that's what I call quite good! date: 2004-10-17 21:30:32

Just going over the alerts from ACID and Snort tonight while listening to The Housemartins, which really is the perfect accompaniment (sp?). Sure, I could have a life, but what fun would that be to write about?

Interesting to see how many things Snort twigs on, like all the stop-doing-that ICMP messages that come back at 3 in the morning. After a bit of digging, I noticed that they were almost all triggered by an initial UDP packet to port 53 of some host -- which in turn is caused by the web stats program trying to figure out what country everyone's coming from. Not sure if Webalizer (which rox, btw) is being too aggressive in its timing or what; I've got it set up to do 35 concurrent queries, which now that I think of it could probably be scaled back a bit...what else has my server got to do at 3am?

Next step is to try and come up with a rule to catch WordPress comment spam; my wife's blog has been hit by gambling site spammers a couple times already this month. The pattern may allow me to watch for it -- a quick POST, followed by a GET two to three seconds later, with the User Agent set to look like IE 4.0 on Windows 98 -- but the question is how to get Snort to watch for a two-part signature like that.

Actually, the real question is how to build automatic weapons fire into Snort's flexible response options, but that's another point.

Mmm, The Housemartins. I'd forgotten how good they were. Drop down, baby, drop down dead tonight...