Snort mailing list archives

Re: SHUN

From: Frank Knobbe <fknobbe () knobbeits com>
Date: 26 Nov 2002 15:11:32 -0600

On Tue, 2002-11-26 at 12:58, Matt Kettler wrote:

         1) If you do automated shuning of IPs based on triggering of snort 
rules I can now DoS you off the net by spoofing attacks from all the root 
DNS server IP's.. now you've blocked them and won't be able to resolve DNS 
until you go to your firewall and remove the entries. I can add them back 
faster than you can remove them until you turn this feature of your snort 
box off.


That's why SnortSam, but also Guardian I believe, support a white list.
In addition, SnortSam can detect a DoS by means of a blocking threshold
level.

         2) since your firewall can be configured automatically, this means 
the authentication mechanism to snort is stored in your snort box. If I can 
penetrate your snort box I can now reconfigure your firewall any way I want 
to suit my needs. This effectively widens your security risks unless you're 
positive the snort box cannot access the internet.


A valid point. But it is addresses when IDS sensors are configured to
operate in stealth mode, by using taps, ro-cables, IP less interfaces.

Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Alerting and Reporting tools Scott, Joshua (Nov 25)
- Re: Alerting and Reporting tools Scott Nursten (Nov 26)
  - SHUN Mike Koponick (Nov 26)
    - Re: SHUN Alberto Gonzalez (Nov 26)
    - Re: SHUN Matt Kettler (Nov 26)
    - Re: SHUN Frank Knobbe (Nov 26)
    - Re: SHUN Matt Kettler (Nov 26)
    - Re: SHUN Frank Knobbe (Nov 26)
    - RE: SHUN Mike Koponick (Nov 26)
    - RE: SHUN ams67 (Dec 02)
    - RE: SHUN Frank Knobbe (Dec 02)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 02)
    - Re: SHUN Frank Knobbe (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)
    - RE: SHUN ams67 (Dec 02)

(Thread continues...)