Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort's Blocking Capability?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sun, 30 Mar 2003 22:13:16 +1200
Erek Adams wrote:


* Could a setup on the hacker's machine not simply ignore
   connection reset packets anyway?


Well you could ignore them, but unless you rewrite your own TCP/IP stack,
it's not terribly usful.
No need to rewrite the IP stack - e.g. the hacker could configure netfilter to just drop RSETS. 
..However, pretty unlikely the attacked host is dropping them too...
But as you say - inline is the only real way of handling this reliably. Also note that "blocking" IDS can *really* sting you. I'm still smarting from two years ago when I allowed Snort to RSET CodeReds - totally killed one of our internal groups from uploading a particular PDF file to our DMZ. Apparently the CodeRed sig just happended to appear about 800K into the file :-) "I don't get it, the upload keeps failing at the same point..."
Be VERY careful with that sort of stuff. Virus-scanners have basically solved the FP problem due to recursive analysis and all sorts of double-checking - none of that is practical in an online IDS on 100M+ ethernet... 

Jason



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: