Snort mailing list archives
Re: Snort Triggered Shun on Cisco ASA
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 30 Jun 2009 14:34:21 -0500
On Tue, 2009-06-30 at 14:05 -0400, Steven King wrote:
Would the script be fast enough to respond to an attack? SSH on the ASA's is fairly slow due to the back plane taking a back seat to passing traffic. Seems that attackers might be able to at least get some information before the script could complete its task.
Absolutely. It takes a few milliseconds for Snort to pick up the packet and alert (and hey, by that time the packet already hit the target, unless you run Snort in inline mode). Snort then sends the block request to Snortsam, which will then telnet into the ASA and issue the shun. I never timed it, but the whole process is pretty fast. The largest latency is the telnet command sequence on the ASA. That may take about a second. Regardless, communication from/to that IP is then interrupted by the ASA. Where Snortsam shines is the ability to network sensors and firewalls, so an attacker can be blocked on all your firewalls, wherever they may be. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Triggered Shun on Cisco ASA Steven King (Jun 30)
- Re: Snort Triggered Shun on Cisco ASA Joel Esler (Jun 30)
- Re: Snort Triggered Shun on Cisco ASA Frank Knobbe (Jun 30)
- Re: Snort Triggered Shun on Cisco ASA Joel Esler (Jun 30)
- Re: Snort Triggered Shun on Cisco ASA Steven King (Jun 30)
- Re: Snort Triggered Shun on Cisco ASA Frank Knobbe (Jun 30)
- Re: Snort Triggered Shun on Cisco ASA Joel Esler (Jun 30)
- Re: Snort Triggered Shun on Cisco ASA Frank Knobbe (Jun 30)
- <Possible follow-ups>
- Re: Snort Triggered Shun on Cisco ASA Steven King (Jun 30)
- Re: Snort Triggered Shun on Cisco ASA Frank Knobbe (Jun 30)
- Re: Snort Triggered Shun on Cisco ASA CunningPike (Jun 30)
- Re: Snort Triggered Shun on Cisco ASA Frank Knobbe (Jun 30)