![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Snort& Intrusion Prevention
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 02 Jun 2004 11:24:46 -0500
On Wed, 2004-06-02 at 08:10, Maetzky, Steffen (Extern) wrote:
2. If I use guardian or snortsam snort is still passiv and doesn't drop packets but sessions are closed over a special period. Guardian and snortsam reconfigure an active firewall directly. -> DoS possible
That's why I included countermeasures in Snortsam to avoid DoS conditions. Snortsam is a reactive system (as opposed to an inline, active system). The advantage is that you can do block all traffic to or from (or both) from that host. Besides the obvious "blocking all access to the host" type block, you can also perform isolation blocks. That means that it can do these things that you would do anyway -- isolating compromised hosts for later analysis -- just in an automated fashion. (Imagine your hacked web server getting quarantined as 4am automatically...). Or it can aid in policy enforcement where internal hosts get punished with a block from the Internet for certain actions. Or automatically block unknown new hosts. (I could go on as there are plenty more scenarios where Snortsam can be helpful). An inline-IPS can only block on it's own wire. Using Snortsam you could block one attacker on a multitude of firewalls. Consider this scenario: You have 20 Snort sensors and 8 firewalls, controlled by 5 Snortsam agents. If an intruder gets detected on any of the 20 sensors, he can be blocked on all 8 firewalls. Or consider an internal PC infected with a worm. If Snortsam detects it, it can isolate that workstation from the rest of the network in a snap. The ability to act upon more than just the monitored segment differentiates reactive systems like Snortsam from inline devices. Hope this helps. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Snort& Intrusion Prevention Maetzky, Steffen (Extern) (Jun 02)
- Re: Snort& Intrusion Prevention Frank Knobbe (Jun 02)
- Message not available
- Re: Snort& Intrusion Prevention Matt Kettler (Jun 02)
- <Possible follow-ups>
- RE: Snort& Intrusion Prevention Joshua Berry (Jun 03)