if you match it to port 80 then yes, all discussion via the web of the worm, but non other non-port 80 discussion. Small price to pay to stop the virus cold. Once stopped...whats their to discuss? Also, encryptped xfers discussing "default.ida" would still go though. Its better than just blocking ALL port 80. I'd rather block even legit stuff that mentions "default.ida" that ALL HTTP. Thats just silly. At 12:39 PM 9/3/01 -0500, you wrote: >Jason DeStefano <destef at destef.com> writes: > >> When companies do stuff like this its because they dont have >> people smart enough to know how to correctly deal with the >> problem. Hell, write an in-line packet analyzer and stick it >> between your internet router and DMZ router. Have it search >> the data portion of packets for the string "default.ida" and if >> it sees it block the packet. This is cake to do and will stop the >> virus cold in its tracks leaving all other traffic unaffected. >> >> I cant stand incomptetant companies and the moron employees >> they hire like Qwaste/MSN/whatever the hell you are this week >> companies. >> >> </vent> > >Your brute-force suggestion would block all useful discussion *of* the >worm as well as the worm itself. >-- >David Dyer-Bennet / Welcome to the future! / dd-b at dd-b.net >Photos: http://dd-b.lighthunters.net/ >Book log: http://www.dd-b.net/dd-b/Ouroboros/booknotes/ >_______________________________________________ >tclug-list mailing list >tclug-list at mn-linux.org >https://mailman.mn-linux.org/mailman/listinfo/tclug-list >