Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re[2]: [Snort-devel] IDS fingerprinting techniques & Snort's FlexR esponse...

From: Dmitry Komarov <dmit () tkb lv>
Date: Fri, 24 Aug 2001 10:29:51 +0400
Hello Abe once again, I just decided to send the question to the list!
:)

Stupid question, please: can I use flexresp WITHOUT an IP configured
on the interface? (i.e. while in "stealth" mode - just 'ifconfig eth1 up')

Maybe I'm in a lack of knowledge, but as far as I understand it should
be possible. And it would be very usefull for me. I have a CISCO
router and a firewall interfaces within a netmask 255.255.255.252,
connected through a HUB. SNORT sensor is a second interface of one
internal linux box, connected to the same HUB. This interface is just
"ifconfig eth1 up" for security reasons and because there is no
additional address space within the netmask. For the reasons you've
explained I also do not want to block suspected IPs on my FW1 server.
That is the background of my question. 

Thursday, August 23, 2001, 7:28:21 AM, you wrote:

aksku>         Agreed.  The best you can do at a high-traffic site is to have a
aksku> passive IDS which would talk to a firewall that would drop the incoming
aksku> connections.  While this is cool functionality to have, it's something you
aksku> have to be _very_ careful about.  For instance...
aksku>         A company here in Kentucky was using their IDS to tell their
aksku> firewall to block all IP addresses it saw a CodeRed detect come in from.
aksku> Needless to say, their firewall crashed about four minutes after the worm
aksku> started to really pick up steam.  Doh! =)
aksku>         This same company quickly built a Snort box (per my recommendation),
aksku> and using flexresp, successfully kept the worm from nailing them until they
aksku> could get all of their IIS boxes patched.  This is one case where resetting
aksku> connections was completely necessary, and saved the day.  Marty, where do I
aksku> send testimonials about Snort? =)



-- 
Best regards,
 Dmitry                            mailto:dmit () tkb lv



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: