Snort mailing list archives
RE: SHUN
From: "ams67" <ams67 () xtra co nz>
Date: Tue, 3 Dec 2002 12:02:09 +1300
-----Original Message----- From: Frank Knobbe [mailto:fknobbe () knobbeits com] Sent: Tuesday, 3 December 2002 11:43 a.m. To: ams67 Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] SHUN On Mon, 2002-12-02 at 15:47, ams67 wrote:
IMAO IDSs should not interfere with FWs. If I spoof my IP address with your current, e.g. DNS server and send a forged packet with an attack signature to your network protected by your IDS/FW integrated system I can create an easy DoS by stopping legal and operational traffic. That is really easy to accomplish (e.g. nmap -D your.good.dns.server, your.good.external.router, etc..).
Basically true, but you can minimize the risk of those conditions. SnortSam and Guardian for example have white-lists. Also, SnortSam can detect DoS conditions and undo recent blocks and sit idle for a while. Being able to DoS someone by spoofing DNS servers is becoming lame... (no offense, but that argument has been beaten to death...) Frank -------------------------------------------------------- Of course, white list can minimize the risk of DoS, but it also increase the risk for not detecting an internal attack. Therefore, it is question to choose which is less risky... I personally prefer to leave job of detect network anomalies to an IDS, the job to filter unwanted packet to a FW and the job to decide what is right to stop to the skills of the security operator. The IDS technologies are still in a early stage before I can totally rely on it. I think now they are just good tools to 'help' to make decision. No offence taken, however I mentioned DNS and external router as a simple example. The fact it has been beaten to death does not change the level of potential threat. Tony ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Alerting and Reporting tools, (continued)
- RE: SHUN ams67 (Dec 02)
- RE: SHUN Frank Knobbe (Dec 02)
- RE: SHUN ams67 (Dec 02)
- Re: SHUN Alberto Gonzalez (Dec 02)
- Re: SHUN Frank Knobbe (Dec 02)
- Re: SHUN Alberto Gonzalez (Dec 03)
- RE: SHUN ams67 (Dec 02)
- Re: SHUN Alberto Gonzalez (Dec 03)
- RE: SHUN Frank Knobbe (Dec 03)
- RE: SHUN ams67 (Dec 03)
- RE: SHUN Frank Knobbe (Dec 03)