Snort mailing list archives
Re: fragroute vs. snort: the tempest in a teacup
From: Brad Powell <Brad.Powell () Sun COM>
Date: Fri, 19 Apr 2002 08:58:40 -0700 (PDT)
Darren writes:
Well then IDS software needs to be smarter. IMHO it makes little sense for an IDS to be *behind* a firewall as it's going to miss out on lots of useful data points. Maybe this means telling your IDS software how big your network is so it can make intelligent decisions about how far a packet will go based on its TTL.
actually it depends. Behind the firewall and you can set the red flags to be very sensative. Packets that should -never- be there send up big red flags, and page people because the FW failed. In front of the FW give you more info to be sure, but also a lot of noise that your FW would block anyway. Depends on if you want to heare the door rattlers (millions of them) or not.
IP Fragmentation is rare across the WAN, maybe, but anyone who's used NFSv2 knows how common it is on the LAN.
actually with load ballancing gear frags are more and more prevelent even on the WAN.
There are good reasons NOT to do reassembly and I imagine those that do not do so because they understand this better than the desire to simply add yet another feature which some consider "cool".
true, except if you can't guarentee that you will see the whole packet through the SAME interface. We tripped over this a few times with SunScreen doing stateful inspection (a good thing most of the time). Anywhere from 1/2 to more of the traffic was going through a different router and the Firewall was sitting there holding 1/2 of the packet in a memory buffer that would never get freed. Eventually you get enough of these that the network slows down or the FW runs out of memory. HPux was nortorius for opening a buffer for frags, and never freeing the buffer. The easy way to bring HP's to their knees :-) Brad Powell : HOME: brad () fish com WORK: brad.powell () Sun COM ------------------------------------------------------------------------- The views expressed are those of the author and may not reflect the views of Sun Microsystems Inc. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- fragroute vs. snort: the tempest in a teacup Dragos Ruiu (Apr 17)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Enno Rey (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Marco Thorbruegge (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Crist J. Clark (Apr 20)
- Re: fragroute vs. snort: the tempest in a teacup Francis Cianfrocca (Apr 18)
- Re: Re: fragroute vs. snort: the tempest in a teacup Jason Haar (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
- <Possible follow-ups>
- Re: fragroute vs. snort: the tempest in a teacup Brad Powell (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Steven M. Bellovin (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Craig, Scott (Apr 25)
- RE: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 25)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)