Snort mailing list archives
Re: SHUN
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 26 Nov 2002 15:11:32 -0600
On Tue, 2002-11-26 at 12:58, Matt Kettler wrote:
1) If you do automated shuning of IPs based on triggering of snort rules I can now DoS you off the net by spoofing attacks from all the root DNS server IP's.. now you've blocked them and won't be able to resolve DNS until you go to your firewall and remove the entries. I can add them back faster than you can remove them until you turn this feature of your snort box off.
That's why SnortSam, but also Guardian I believe, support a white list. In addition, SnortSam can detect a DoS by means of a blocking threshold level.
2) since your firewall can be configured automatically, this means the authentication mechanism to snort is stored in your snort box. If I can penetrate your snort box I can now reconfigure your firewall any way I want to suit my needs. This effectively widens your security risks unless you're positive the snort box cannot access the internet.
A valid point. But it is addresses when IDS sensors are configured to operate in stealth mode, by using taps, ro-cables, IP less interfaces. Frank
Attachment:
signature.asc
Description: This is a digitally signed message part