Re: SHUN

[Matt Kettler <mkettler () evi-inc com>]

Snort itself doesn't support this, but there are add on tools that do. For 
example hogwash.

You can also use logwatch to monitor your snort log and kick of shell 
scripts to do whatever you want..

IMNSHO however, automated reconfiguration of your firewall is fraught with 
danger:

        1) If you do automated shuning of IPs based on triggering of snort 
rules I can now DoS you off the net by spoofing attacks from all the root 
DNS server IP's.. now you've blocked them and won't be able to resolve DNS 
until you go to your firewall and remove the entries. I can add them back 
faster than you can remove them until you turn this feature of your snort 
box off.

        2) since your firewall can be configured automatically, this means 
the authentication mechanism to snort is stored in your snort box. If I can 
penetrate your snort box I can now reconfigure your firewall any way I want 
to suit my needs. This effectively widens your security risks unless you're 
positive the snort box cannot access the internet.

At 09:48 AM 11/26/2002 -0800, Mike Koponick wrote:
> Hello,
>
> Does SNORT support adding commands to firewalls? As an example, if I
> received a BAD packet, I would like to add a filter based on that
> information to my firewall. I understand that SNORT cannot decide which
> packets are bad, but I would think we would be able to trace an issue once
> the command has been executed.
>
> Any ideas?
>
>
> Thanks in advance,
>
> Mike



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users