Snort mailing list archives
RE: SHUN
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 03 Dec 2002 14:29:46 -0600
On Tue, 2002-12-03 at 14:19, ams67 wrote:
Thank you for your clear explanation. However, I still have a possible 'lame' question to ask. :-) Please correct me if I am wrong. If I am the attacker and I do not want my ip address blocked by SnortSam, I could lunch a syn-flood attack so I achieve a kind of 'fail-open' status. In the meantime, I lunch the real attack that will not be blocked as I managed to reach the threshold from my previous syn-attack. In this way I can easily evade the functionality of SnortSam.
That is correct. If you know that an environment is using SnortSam, and the admin has the rollback mechanism enabled, then yes, you can pry (and hold) SnortSam open (your normal firewall rules still apply). There is no silver bullet for security. The way SnortSam works, I rather have it fail open than shut. It is designed to augment your security setup, not replace it. For me, it's perfect to blind scanners and prevent certain exploits. There are other devices, like WatchGuards Firebox, that will keep blocking (afaik) upon detection of a scan. They might be more susceptible to a DoS.
I understand that in security, nothing is foolproof, however I still think that now tool like SnortSam or Guardian are still too 'fool' to be used in a productive/operational environment.
As I said, WatchGuard uses it in production. And yes, it may not be for every environment. Neither are Intrusion Protection Devices like Hogwash. The security tools, that we currently have, are all in its infancy. Except maybe firewalls/packet filters. IDS' still suck (except Snort ;) due to false positives. It all needs time to mature. Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: SHUN, (continued)