Snort mailing list archives

RE: Country blocking?

From: Theodore Stout <theodorestout () yahoo com>
Date: Tue, 18 Jan 2005 18:58:45 -0800 (PST)

Matt,

I can kind of see your point too.  However, a properly
conigured Proxy Server would help out along with a
good firewall and of course Snort.

As for myself, I would actually benefit from this kind
of rule set.  I mean, there are the homepages I look
at everyday religiously.

securitynewsportal.com (Follow the Hampster!)
moby.com (The pig likes music)
cnn.com (Waiting for the next attack)
sportsillustrated.cnn.com/basketball/ncaa/ (Need
basketball!)
snort.org (Need updates)
snort.gr.jp (In Japanese)
internetsecurityguru.com/ (Patrick rules!)
sourceforge.com
redhat.com (Must have fun)
www.cert.org 
microsoft.com (Must know about those patches)
slastdot.org (Must relax)
uiuc.edu (Illini are #1 in B-ball now!)
yahoo.com/r/m1
google.com (must look up English words)

In my case, it would be better to just deny all and
then only permit those sites.  Shoot, I don`t even
look at my own company homepage!   I should just use
ISA 2004 server along with Snort and then life would
be easy. The only problem I would have would be with
google. 

In this way, I could build an entire stone bubble
around me and just poke out a few holes to see what I
want to see.  Then configure Snort to generate an
alert if any traffic comes in from any other site. 
Should be easy.  I will try it when I go home since I
got the software there.

Theo


--- Matt Kettler <mkettler () evi-inc com> wrote:

At 09:30 AM 1/18/2005, Donofrio, Lewis wrote:

Anything from RIPE.NET could be blocked as far as I

can tell....

Just curious.. do you work for Verizon?

http://www.theregister.co.uk/2005/01/14/verizon_email_block/


Let's face it, from a security perspective
geographic regions are a 
particularly lousy category for blocking. Most US
companies have overseas 
branches, and many "US" companies actually host
their websites, 
mailsystems, etc in their foreign branches, or
outsource them to foreign 
hosting firms.

Currently I'm seeing most of my spam and network
attacks originating from 
DSL, cable and dialup nodes in the US.  AT&T, ALGX,
comcast, roadrunner and 
verizon, are all FREQUENT sources of attack, and
collectively represent 
about 50% of my attack volume. From that
perspective, the safest approach 
is to block all end-users from being able to access
my systems.

Sure, if you're a US company, mostly doing business
with other US based 
interests, most of your useful traffic is going to
come from the US, and 
conversely, very little from outside of it.

It might be tempting to just drop whole regions of
the world, but let's 
face it, you're not buying yourself anything. It's
like putting a 
west-facing wall outside a building, with no other
sides to it. The enemy 
just has to walk around the wall and come from the
south. Were this a 
battlefield you might have bought yourself some
extra time to bombard them 
with artillery. However in network attacks they'll
just go away and come 
back an hour later from another IP, and you'll have
very little idea it's 
the same attacker. They can certainly come back fast
enough that you won't 
have had time to do anything to the actual person
that is the source of the 
attacks.

You're closing yourself off to attacks launched from
machines in one 
country, but who cares when your average Joe can buy
a zombie net of 
thousands of US based home user machines. You're
still as vulnerable to 
attack as you were before, you've only limited the
angle they have to come 
from.

-------------------------------------------------------

The SF.Net email is sponsored by: Beat the
post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt
from ThinkGeek.
It's fun and FREE -- well,
almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users




                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - 250MB free storage. Do more. Manage less. 
http://info.mail.yahoo.com/mail_250


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Country blocking? mdpeters (Jan 19)
- Re: Country blocking? Alex Kirk (Jan 19)
- Re: Country blocking? Jose Maria Lopez (Jan 19)
- <Possible follow-ups>
- RE: Country blocking? Donofrio, Lewis (Jan 19)
  - RE: Country blocking? Cilin (Jan 19)
  - Message not available
    - RE: Country blocking? Matt Kettler (Jan 19)
    - RE: Country blocking? Theodore Stout (Jan 19)
- Re: Country blocking? D.P.Round (Jan 19)
  - Re: Country blocking? Wally Bedford (Jan 19)
  - Re: Country blocking? Alex Butcher, ISC/ISYS (Jan 19)
  - Re: Country blocking? Jose Maria Lopez (Jan 19)