Snort mailing list archives
RE: Country blocking?
From: Theodore Stout <theodorestout () yahoo com>
Date: Tue, 18 Jan 2005 18:58:45 -0800 (PST)
Matt, I can kind of see your point too. However, a properly conigured Proxy Server would help out along with a good firewall and of course Snort. As for myself, I would actually benefit from this kind of rule set. I mean, there are the homepages I look at everyday religiously. securitynewsportal.com (Follow the Hampster!) moby.com (The pig likes music) cnn.com (Waiting for the next attack) sportsillustrated.cnn.com/basketball/ncaa/ (Need basketball!) snort.org (Need updates) snort.gr.jp (In Japanese) internetsecurityguru.com/ (Patrick rules!) sourceforge.com redhat.com (Must have fun) www.cert.org microsoft.com (Must know about those patches) slastdot.org (Must relax) uiuc.edu (Illini are #1 in B-ball now!) yahoo.com/r/m1 google.com (must look up English words) In my case, it would be better to just deny all and then only permit those sites. Shoot, I don`t even look at my own company homepage! I should just use ISA 2004 server along with Snort and then life would be easy. The only problem I would have would be with google. In this way, I could build an entire stone bubble around me and just poke out a few holes to see what I want to see. Then configure Snort to generate an alert if any traffic comes in from any other site. Should be easy. I will try it when I go home since I got the software there. Theo --- Matt Kettler <mkettler () evi-inc com> wrote:
At 09:30 AM 1/18/2005, Donofrio, Lewis wrote:Anything from RIPE.NET could be blocked as far as Ican tell.... Just curious.. do you work for Verizon?
http://www.theregister.co.uk/2005/01/14/verizon_email_block/
Let's face it, from a security perspective geographic regions are a particularly lousy category for blocking. Most US companies have overseas branches, and many "US" companies actually host their websites, mailsystems, etc in their foreign branches, or outsource them to foreign hosting firms. Currently I'm seeing most of my spam and network attacks originating from DSL, cable and dialup nodes in the US. AT&T, ALGX, comcast, roadrunner and verizon, are all FREQUENT sources of attack, and collectively represent about 50% of my attack volume. From that perspective, the safest approach is to block all end-users from being able to access my systems. Sure, if you're a US company, mostly doing business with other US based interests, most of your useful traffic is going to come from the US, and conversely, very little from outside of it. It might be tempting to just drop whole regions of the world, but let's face it, you're not buying yourself anything. It's like putting a west-facing wall outside a building, with no other sides to it. The enemy just has to walk around the wall and come from the south. Were this a battlefield you might have bought yourself some extra time to bombard them with artillery. However in network attacks they'll just go away and come back an hour later from another IP, and you'll have very little idea it's the same attacker. They can certainly come back fast enough that you won't have had time to do anything to the actual person that is the source of the attacks. You're closing yourself off to attacks launched from machines in one country, but who cares when your average Joe can buy a zombie net of thousands of US based home user machines. You're still as vulnerable to attack as you were before, you've only limited the angle they have to come from.
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Country blocking? mdpeters (Jan 19)
- Re: Country blocking? Alex Kirk (Jan 19)
- Re: Country blocking? Jose Maria Lopez (Jan 19)
- <Possible follow-ups>
- RE: Country blocking? Donofrio, Lewis (Jan 19)
- RE: Country blocking? Cilin (Jan 19)
- Message not available
- RE: Country blocking? Matt Kettler (Jan 19)
- RE: Country blocking? Theodore Stout (Jan 19)
- Re: Country blocking? D.P.Round (Jan 19)
- Re: Country blocking? Wally Bedford (Jan 19)
- Re: Country blocking? Alex Butcher, ISC/ISYS (Jan 19)
- Re: Country blocking? Jose Maria Lopez (Jan 19)