Snort mailing list archives

RE: SHUN

From: "ams67" <ams67 () xtra co nz>
Date: Tue, 3 Dec 2002 12:02:09 +1300



-----Original Message-----
From: Frank Knobbe [mailto:fknobbe () knobbeits com] 
Sent: Tuesday, 3 December 2002 11:43 a.m.
To: ams67
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SHUN

On Mon, 2002-12-02 at 15:47, ams67 wrote:

IMAO IDSs should not interfere with FWs. If I spoof my IP address with
your current, e.g. DNS server and send a forged packet with an attack
signature to your network protected by your IDS/FW integrated system I
can create an easy DoS by stopping legal and operational traffic. 
That is really easy to accomplish (e.g. nmap -D your.good.dns.server,
your.good.external.router, etc..).


Basically true, but you can minimize the risk of those conditions.
SnortSam and Guardian for example have white-lists. Also, SnortSam can
detect DoS conditions and undo recent blocks and sit idle for a while.

Being able to DoS someone by spoofing DNS servers is becoming lame...
(no offense, but that argument has been beaten to death...)

Frank
--------------------------------------------------------
Of course, white list can minimize the risk of DoS, but it also increase
the risk for not detecting an internal attack. Therefore, it is question
to choose which is less risky...
I personally prefer to leave job of detect network anomalies to an IDS,
the job to filter unwanted packet to a FW and the job to decide what is
right to stop to the skills of the security operator. The IDS
technologies are still in a early stage before I can totally rely on it.
I think now they are just good tools to 'help' to make decision.

No offence taken, however I mentioned DNS and external router as a
simple example. The fact it has been beaten to death does not change the
level of potential threat.

Tony



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Alerting and Reporting tools, (continued)
- Re: Alerting and Reporting tools Scott Nursten (Nov 26)
  - SHUN Mike Koponick (Nov 26)
    - Re: SHUN Alberto Gonzalez (Nov 26)
    - Re: SHUN Matt Kettler (Nov 26)
    - Re: SHUN Frank Knobbe (Nov 26)
    - Re: SHUN Matt Kettler (Nov 26)
    - Re: SHUN Frank Knobbe (Nov 26)
    - RE: SHUN Mike Koponick (Nov 26)
    - RE: SHUN ams67 (Dec 02)
    - RE: SHUN Frank Knobbe (Dec 02)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 02)
    - Re: SHUN Frank Knobbe (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)
    - RE: SHUN Frank Knobbe (Dec 03)
    - RE: SHUN ams67 (Dec 03)
    - RE: SHUN Frank Knobbe (Dec 03)
- RE: Alerting and Reporting tools Scott, Joshua (Nov 26)