Snort mailing list archives
RE: SHUN
From: "ams67" <ams67 () xtra co nz>
Date: Wed, 4 Dec 2002 09:19:50 +1300
Frank Thank you for your clear explanation. However, I still have a possible 'lame' question to ask. :-) Please correct me if I am wrong. If I am the attacker and I do not want my ip address blocked by SnortSam, I could lunch a syn-flood attack so I achieve a kind of 'fail-open' status. In the meantime, I lunch the real attack that will not be blocked as I managed to reach the threshold from my previous syn-attack. In this way I can easily evade the functionality of SnortSam. I understand that in security, nothing is foolproof, however I still think that now tool like SnortSam or Guardian are still too 'fool' to be used in a productive/operational environment. Probably until the TCP/IP protocol is not rewritten with 'security' in mind, the attackers will always be one-step forward... Regards Tony -----Original Message----- From: Frank Knobbe [mailto:fknobbe () knobbeits com] Sent: Wednesday, 4 December 2002 4:29 a.m. To: ams67 Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] SHUN
Tony, again, Snort and SnortSam are two different programs. Snort still does analysis. It's just that SnortSam doesn't block white-listed IP's. I think that's what you mean though. There is no fancy AI involved. SnortSam uses a simple threshold mechanism to detect 'attacks'. If SnortSam exceeds a defineable amount of blocking requests in a definable amount of time, it will unblock the last <definable> IP addresses, and then just wait until the current
rate
of blocking requests receeds below the threshold level. It then waits
an
additional definable time before it acts on blocking requests again. So under normal conditions, you may see a maximum of, for example, 5 blocks (read, unique IP's) per 10 seconds. If you try to DoS SnortSam with your syn-flood attack, you will probably exceed, 10 blocks ber 10 secs (let's use that as an example for the set threshold). SnortSam
will
then unblock the last <x> blocks it 'mistakenly' blocked, waits until you quit DoS'ing the system. It then waits a time to make sure you're really gone, and then get's back to work. Not a fool-proof method, but it seems to work pretty good.
--------------------- ------------------------------------------------------- This SF.net email is sponsored by: Microsoft Visual Studio.NET comprehensive development tool, built to increase your productivity. Try a free online hosted session at: http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: SHUN, (continued)