Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Relationship between snort and ipchains and sec urity strategies

From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Sun, 19 Aug 2001 23:30:20 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


-----Original Message-----
From: John Sage [mailto:jsage () finchhaven com]
Sent: Sunday, August 19, 2001 10:49 PM

[...]
Ultimately, IMHO, blocking attacks by IP address will not be an 
effective security method: there are simply too many 
attacking IP's to 
be blocked.
[...]
I think your methodology wants to focus on protecting services, and
 guarding against new exploits.
[...]
Forget about blocking IP's; protect necessary services and
understand  new exploits.


John,

blocking of IP addresses CAN be part of protecting services and
guarding against exploits. Your example of Code Red is correct. It
would silly to block all those scanners. However, it you have a rule
that fires when YOUR infected server initiates scans to the outside,
it would make sense to block outgoing connections from YOUR server
until you can fix it. That would prevent your server from infecting
others.

In regards to guarding services, short term blocking of IP's can
help. Let's say you have your servers grouped at x.x.x.50, .51, .52.
Your router is at x.x.x.1. If you set up a rule that blocks for scans
against .2, and you block that IP address for, say 5 minutes, then by
the time the scanner hits your servers, he may be blocked and
effectively blinded. Your services are protected.

Other example: Someone tries real hard to break into your web server
with some CGI exploit attempts. If you have a rule that blocks that
guy for, say a couple hours, you effectively slow him down. Chances
are great that he will wander off.

Blocking of IP's can assist your strategy, but it should not be your
main focus. And I don't recommend blocking IP addresses permanently.
Also, there are certain safeguards one must use (white-list etc). You
may have seen the features I put in SnortSam. Blocking can be done
safely. Oh well, I better stop before I come across as a
salesrep...(which I'm not)  :)

Just my opinion...
Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBO4CSXJytSsEygtEFEQK0hgCgwnZnH+WvGVMj8LnhpSzebGWZmroAnRGV
H0E7JiaWJpAdf+R4s3Y5doje
=1ui7
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: