Snort mailing list archives
Re[2]: [Snort-devel] IDS fingerprinting techniques & Snort's FlexR esponse...
From: Dmitry Komarov <dmit () tkb lv>
Date: Fri, 24 Aug 2001 10:29:51 +0400
Hello Abe once again, I just decided to send the question to the list! :) Stupid question, please: can I use flexresp WITHOUT an IP configured on the interface? (i.e. while in "stealth" mode - just 'ifconfig eth1 up') Maybe I'm in a lack of knowledge, but as far as I understand it should be possible. And it would be very usefull for me. I have a CISCO router and a firewall interfaces within a netmask 255.255.255.252, connected through a HUB. SNORT sensor is a second interface of one internal linux box, connected to the same HUB. This interface is just "ifconfig eth1 up" for security reasons and because there is no additional address space within the netmask. For the reasons you've explained I also do not want to block suspected IPs on my FW1 server. That is the background of my question. Thursday, August 23, 2001, 7:28:21 AM, you wrote: aksku> Agreed. The best you can do at a high-traffic site is to have a aksku> passive IDS which would talk to a firewall that would drop the incoming aksku> connections. While this is cool functionality to have, it's something you aksku> have to be _very_ careful about. For instance... aksku> A company here in Kentucky was using their IDS to tell their aksku> firewall to block all IP addresses it saw a CodeRed detect come in from. aksku> Needless to say, their firewall crashed about four minutes after the worm aksku> started to really pick up steam. Doh! =) aksku> This same company quickly built a Snort box (per my recommendation), aksku> and using flexresp, successfully kept the worm from nailing them until they aksku> could get all of their IIS boxes patched. This is one case where resetting aksku> connections was completely necessary, and saved the day. Marty, where do I aksku> send testimonials about Snort? =) -- Best regards, Dmitry mailto:dmit () tkb lv _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re[2]: [Snort-devel] IDS fingerprinting techniques & Snort's FlexR esponse... Dmitry Komarov (Aug 24)