Snort mailing list archives
Re: Cisco PIX firwalls..
From: counter.spy () gmx de
Date: Mon, 15 Apr 2002 21:27:53 +0200 (MEST)
I dont know if anyone is interested in a newbies opinion :) But I would like to tell you that I _completely_ agree with Erek. Firstly I need to tell that I was very fond of active response mechanisms _before_ I tested those. It seemed to be a cool thing. What I found out: You can run in a _hell_ of problems using active response mechanisms. An example: Take a RealSecure Server Sensor with default Windows_Maximum signatures. If an attack occurs that triggers a blocking rule, the attacking host will be blocked for half an hour. Okay, if I send fake attacks with spoofed IPs I can even prevent the admins to connect to their machines or prevent the IDS components to be connected to by the console :( Another example - active Firewall reconfiguration.
From what I know, you can only block an IP address or a service.
Wanna DOS a service? If a site uses active Firewall reconfiguration
you simply have to send lots and lots of spoofed attacks and the whole
damned
Internet will be unable to connect to the site (okay, maybe this is somewhat
exaggerated, but you *really* can generate a lot of trouble).
But this is just my humble opinion and, as I said - I am a newbie and maybe
I just did not configure my IDS properly - well it should not have such
default settings in the first place.
BTW: I will *not* recommend usage of active response in my diploma thesis.
It's so difficult to keep track of those blocking rules.
IDS is expensive and you usually have a hard time justifying that you need
xxxxx$ again
for additional Sensors and stuff. So if you _ever_ cause network problems
because your IDS blocks legitimate connections for whatever reason, your job
will get a lot more unpleasent for you and you can forget that additional money
you need for your IDS ;)
Greetings,
D. Liesen
Erek spoke:
<flailing robot arms>
DANGER! DANGER! DANGER WILL ROBINSON! [0]
</flailing robot arms>
--
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cisco PIX firwalls.. Austin Gonyou (Apr 12)
- Re: Cisco PIX firwalls.. Ashley Thomas (Apr 12)
- Re: Cisco PIX firwalls.. Erek Adams (Apr 13)
- <Possible follow-ups>
- RE: Cisco PIX firwalls.. Kent Hundley (Apr 14)
- RE: Cisco PIX firwalls.. Joe Smith (Apr 15)
- RE: Cisco PIX firwalls.. Erek Adams (Apr 15)
- RE: Cisco PIX firwalls.. Austin Gonyou (Apr 15)
- RE: Cisco PIX firwalls.. Erek Adams (Apr 15)
- Re: Cisco PIX firwalls.. counter . spy (Apr 15)
- Re: Cisco PIX firwalls.. Frank Knobbe (Apr 17)