Re: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor

[Matt Jonkman <jonkman () jonkmans com>]

Joel Esler wrote:
> > The more suspicious
> > things they do the more points they get until they cross a threshold  
> > and
> > get blocked. So properly configured we could detect someone probing  
> > for
> > pages to attack before they got to the sql injection.
>
> Yeah, that's great, until you start blocking real customers.  End of  
> that product.

No, then you adjust to not block real customers. We've been doing so for
quite a long time and blocking IPS's are still around.

> > Because I'm not yet sure that everything coming at me from tor is bad.
> > And I doubt that I'll be able to say everything from there is bad. But
> > it tells me something about what's coming at me and helps me make a
> > block decision.
>
> Exactly my point.  Just because something *can* alert, doesn't mean it  
> should.  Block at the perimeter devices and monitor what actually gets  
> through.

Different philosophies here. See my last post. I don't care to let
people beat on the door until they get through. I would rather the
night-watchman tazer the crackhead beating on the front window to my
bank even though he may not be able to break the glass. Both approaches
are valid.

> > More information is usually better IMHO.
>
> More information that allows you to have actionable intelligence is  
> better.  Alerts that go into a db just "Because"?  Pointless.

Agreed. But this isn't pointless by any means. Depends on how you act
upon intelligence.

Matt


> --
> Joel Esler
>   http://www.joelesler.net
> [m]
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users