Snort mailing list archives

RE: SHUN

From: "ams67" <ams67 () xtra co nz>
Date: Wed, 4 Dec 2002 09:19:50 +1300

Frank

Thank you for your clear explanation.
However, I still have a possible 'lame' question to ask. :-)
Please correct me if I am wrong. If I am the attacker and I do not want
my ip address blocked by SnortSam, I could lunch a syn-flood attack so I
achieve a kind of 'fail-open' status. In the meantime, I lunch the real
attack that will not be blocked as I managed to reach the threshold from
my previous syn-attack. In this way I can easily evade the functionality
of SnortSam.
I understand that in security, nothing is foolproof, however I still
think that now tool like SnortSam or Guardian are still too 'fool' to be
used in a productive/operational environment. 
Probably until the TCP/IP protocol is not rewritten with 'security' in
mind, the attackers will always be one-step forward...

Regards

Tony

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe () knobbeits com] 
Sent: Wednesday, 4 December 2002 4:29 a.m.
To: ams67
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] SHUN

Tony,

again, Snort and SnortSam are two different programs. Snort still does
analysis. It's just that SnortSam doesn't block white-listed IP's. I
think that's what you mean though.

There is no fancy AI involved. SnortSam uses a simple threshold
mechanism to detect 'attacks'. If SnortSam exceeds a defineable amount
of blocking requests in a definable amount of time, it will unblock the
last <definable> IP addresses, and then just wait until the current

rate

of blocking requests receeds below the threshold level. It then waits

an

additional definable time before it acts on blocking requests again.

So under normal conditions, you may see a maximum of, for example, 5
blocks (read, unique IP's) per 10 seconds. If you try to DoS SnortSam
with your syn-flood attack, you will probably exceed, 10 blocks ber 10
secs (let's use that as an example for the set threshold). SnortSam

will

then unblock the last <x> blocks it 'mistakenly' blocked, waits until
you quit DoS'ing the system. It then waits a time to make sure you're
really gone, and then get's back to work.

Not a fool-proof method, but it seems to work pretty good.

---------------------




-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET 
comprehensive development tool, built to increase your 
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: SHUN, (continued)
- - - RE: SHUN Mike Koponick (Nov 26)
    - RE: SHUN ams67 (Dec 02)
    - RE: SHUN Frank Knobbe (Dec 02)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 02)
    - Re: SHUN Frank Knobbe (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)
    - RE: SHUN Frank Knobbe (Dec 03)
    - RE: SHUN ams67 (Dec 03)
    - RE: SHUN Frank Knobbe (Dec 03)
- RE: Alerting and Reporting tools Scott, Joshua (Nov 26)