Snort mailing list archives

RE: SHUN

From: Frank Knobbe <fknobbe () knobbeits com>
Date: 02 Dec 2002 16:43:28 -0600

On Mon, 2002-12-02 at 15:47, ams67 wrote:

IMAO IDSs should not interfere with FWs. If I spoof my IP address with
your current, e.g. DNS server and send a forged packet with an attack
signature to your network protected by your IDS/FW integrated system I
can create an easy DoS by stopping legal and operational traffic. 
That is really easy to accomplish (e.g. nmap -D your.good.dns.server,
your.good.external.router, etc..).


Basically true, but you can minimize the risk of those conditions.
SnortSam and Guardian for example have white-lists. Also, SnortSam can
detect DoS conditions and undo recent blocks and sit idle for a while.

Being able to DoS someone by spoofing DNS servers is becoming lame...
(no offense, but that argument has been beaten to death...)

Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Alerting and Reporting tools Scott, Joshua (Nov 25)
- Re: Alerting and Reporting tools Scott Nursten (Nov 26)
  - SHUN Mike Koponick (Nov 26)
    - Re: SHUN Alberto Gonzalez (Nov 26)
    - Re: SHUN Matt Kettler (Nov 26)
    - Re: SHUN Frank Knobbe (Nov 26)
    - Re: SHUN Matt Kettler (Nov 26)
    - Re: SHUN Frank Knobbe (Nov 26)
    - RE: SHUN Mike Koponick (Nov 26)
    - RE: SHUN ams67 (Dec 02)
    - RE: SHUN Frank Knobbe (Dec 02)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 02)
    - Re: SHUN Frank Knobbe (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)
    - RE: SHUN Frank Knobbe (Dec 03)
    - RE: SHUN ams67 (Dec 03)
    - RE: SHUN Frank Knobbe (Dec 03)
- <Possible follow-ups>
- RE: Alerting and Reporting tools Scott, Joshua (Nov 26)