Snort mailing list archives
Re: Cisco PIX firwalls..
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 17 Apr 2002 23:14:00 -0500
On Mon, 2002-04-15 at 14:27, counter.spy () gmx de wrote:
I dont know if anyone is interested in a newbies opinion :) But I would like to tell you that I _completely_ agree with Erek. Firstly I need to tell that I was very fond of active response mechanisms _before_ I tested those. It seemed to be a cool thing. What I found out: You can run in a _hell_ of problems using active response mechanisms. An example: Take a RealSecure Server Sensor with default Windows_Maximum signatures. If an attack occurs that triggers a blocking rule, the attacking host will be blocked for half an hour. Okay, if I send fake attacks with spoofed IPs I can even prevent the admins to connect to their machines or prevent the IDS components to be connected to by the console :( Another example - active Firewall reconfiguration. From what I know, you can only block an IP address or a service. Wanna DOS a service? If a site uses active Firewall reconfiguration you simply have to send lots and lots of spoofed attacks and the whole damned Internet will be unable to connect to the site (okay, maybe this is somewhat exaggerated, but you *really* can generate a lot of trouble).
Detmar, take a look at SnortSam (http://wwww.snortsam.net). Your (and Erek's) concerns are valid, but can be countered with a better implementation (one that does not just does a blind block). I tried to put these countermeasures in SnortSam because ... well... I was scared myself :) Using the threshold mechanism will detect a DoS and turn the active response off until the attack ends. Also, I strongly recommend blocking only for short time intervals, not permanently. Well... anyway.... check out SnortSam and let me know if you have any other suggestions to make active response safer. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Cisco PIX firwalls.. Austin Gonyou (Apr 12)
- Re: Cisco PIX firwalls.. Ashley Thomas (Apr 12)
- Re: Cisco PIX firwalls.. Erek Adams (Apr 13)
- <Possible follow-ups>
- RE: Cisco PIX firwalls.. Kent Hundley (Apr 14)
- RE: Cisco PIX firwalls.. Joe Smith (Apr 15)
- RE: Cisco PIX firwalls.. Erek Adams (Apr 15)
- RE: Cisco PIX firwalls.. Austin Gonyou (Apr 15)
- RE: Cisco PIX firwalls.. Erek Adams (Apr 15)
- Re: Cisco PIX firwalls.. counter . spy (Apr 15)
- Re: Cisco PIX firwalls.. Frank Knobbe (Apr 17)