Snort mailing list archives
RE: SHUN
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 02 Dec 2002 16:43:28 -0600
On Mon, 2002-12-02 at 15:47, ams67 wrote:
IMAO IDSs should not interfere with FWs. If I spoof my IP address with your current, e.g. DNS server and send a forged packet with an attack signature to your network protected by your IDS/FW integrated system I can create an easy DoS by stopping legal and operational traffic. That is really easy to accomplish (e.g. nmap -D your.good.dns.server, your.good.external.router, etc..).
Basically true, but you can minimize the risk of those conditions. SnortSam and Guardian for example have white-lists. Also, SnortSam can detect DoS conditions and undo recent blocks and sit idle for a while. Being able to DoS someone by spoofing DNS servers is becoming lame... (no offense, but that argument has been beaten to death...) Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Alerting and Reporting tools Scott, Joshua (Nov 25)
- RE: SHUN ams67 (Dec 02)
- RE: SHUN Frank Knobbe (Dec 02)
- RE: SHUN ams67 (Dec 02)
- Re: SHUN Alberto Gonzalez (Dec 02)
- Re: SHUN Frank Knobbe (Dec 02)
- Re: SHUN Alberto Gonzalez (Dec 03)
- RE: SHUN ams67 (Dec 02)
- Re: SHUN Alberto Gonzalez (Dec 03)
- RE: SHUN Frank Knobbe (Dec 03)
- RE: SHUN ams67 (Dec 03)
- RE: SHUN Frank Knobbe (Dec 03)
- <Possible follow-ups>
- RE: Alerting and Reporting tools Scott, Joshua (Nov 26)