Snort mailing list archives
RE: SHUN
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 03 Dec 2002 09:28:44 -0600
On Tue, 2002-12-03 at 00:28, ams67 wrote:
Perhaps I am the one who is missing something. I do not know snortsam (I will try it for sure). I thought that a white-list is the list of ip addresses that snortsam will not block and 'analyze'
Tony, again, Snort and SnortSam are two different programs. Snort still does analysis. It's just that SnortSam doesn't block white-listed IP's. I think that's what you mean though.
However I am would like to understand how snortsam can manage a syn flood attack where the ip source is randomly generate for each packet sent. (e.g. synk4). Filling up the logs, and blocking hundreds o thousand of random ip address would not be consider a successful DoS?
There is no fancy AI involved. SnortSam uses a simple threshold mechanism to detect 'attacks'. If SnortSam exceeds a defineable amount of blocking requests in a definable amount of time, it will unblock the last <definable> IP addresses, and then just wait until the current rate of blocking requests receeds below the threshold level. It then waits an additional definable time before it acts on blocking requests again. So under normal conditions, you may see a maximum of, for example, 5 blocks (read, unique IP's) per 10 seconds. If you try to DoS SnortSam with your syn-flood attack, you will probably exceed, 10 blocks ber 10 secs (let's use that as an example for the set threshold). SnortSam will then unblock the last <x> blocks it 'mistakenly' blocked, waits until you quit DoS'ing the system. It then waits a time to make sure you're really gone, and then get's back to work. Not a fool-proof method, but it seems to work pretty good. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: SHUN, (continued)