Re: Snort Triggered Shun on Cisco ASA

[Frank Knobbe <frank () knobbe us>]

On Tue, 2009-06-30 at 14:05 -0400, Steven King wrote:
> Would the script be fast enough to respond to an attack? SSH on the
> ASA's is fairly slow due to the back plane taking a back seat to passing
> traffic. Seems that attackers might be able to at least get some
> information before the script could complete its task.

Absolutely. It takes a few milliseconds for Snort to pick up the packet
and alert (and hey, by that time the packet already hit the target,
unless you run Snort in inline mode). Snort then sends the block request
to Snortsam, which will then telnet into the ASA and issue the shun. I
never timed it, but the whole process is pretty fast. The largest
latency is the telnet command sequence on the ASA. That may take about a
second.

Regardless, communication from/to that IP is then interrupted by the
ASA.

Where Snortsam shines is the ability to network sensors and firewalls,
so an attacker can be blocked on all your firewalls, wherever they may
be.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users