Snort mailing list archives
RE: Relationship between snort and ipchains and sec urity strategies
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Sun, 19 Aug 2001 23:30:20 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: John Sage [mailto:jsage () finchhaven com] Sent: Sunday, August 19, 2001 10:49 PM [...] Ultimately, IMHO, blocking attacks by IP address will not be an effective security method: there are simply too many attacking IP's to be blocked. [...] I think your methodology wants to focus on protecting services, and guarding against new exploits. [...] Forget about blocking IP's; protect necessary services and understand new exploits.
John, blocking of IP addresses CAN be part of protecting services and guarding against exploits. Your example of Code Red is correct. It would silly to block all those scanners. However, it you have a rule that fires when YOUR infected server initiates scans to the outside, it would make sense to block outgoing connections from YOUR server until you can fix it. That would prevent your server from infecting others. In regards to guarding services, short term blocking of IP's can help. Let's say you have your servers grouped at x.x.x.50, .51, .52. Your router is at x.x.x.1. If you set up a rule that blocks for scans against .2, and you block that IP address for, say 5 minutes, then by the time the scanner hits your servers, he may be blocked and effectively blinded. Your services are protected. Other example: Someone tries real hard to break into your web server with some CGI exploit attempts. If you have a rule that blocks that guy for, say a couple hours, you effectively slow him down. Chances are great that he will wander off. Blocking of IP's can assist your strategy, but it should not be your main focus. And I don't recommend blocking IP addresses permanently. Also, there are certain safeguards one must use (white-list etc). You may have seen the features I put in SnortSam. Blocking can be done safely. Oh well, I better stop before I come across as a salesrep...(which I'm not) :) Just my opinion... Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBO4CSXJytSsEygtEFEQK0hgCgwnZnH+WvGVMj8LnhpSzebGWZmroAnRGV H0E7JiaWJpAdf+R4s3Y5doje =1ui7 -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Relationship between snort and ipchains and sec urity strategies Frank Knobbe (Aug 19)