Snort mailing list archives
Re: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor
From: Matt Jonkman <jonkman () jonkmans com>
Date: Thu, 18 Dec 2008 15:42:05 -0500
Joel Esler wrote:
The more suspicious things they do the more points they get until they cross a threshold and get blocked. So properly configured we could detect someone probing for pages to attack before they got to the sql injection.Yeah, that's great, until you start blocking real customers. End of that product.
No, then you adjust to not block real customers. We've been doing so for quite a long time and blocking IPS's are still around.
Because I'm not yet sure that everything coming at me from tor is bad. And I doubt that I'll be able to say everything from there is bad. But it tells me something about what's coming at me and helps me make a block decision.Exactly my point. Just because something *can* alert, doesn't mean it should. Block at the perimeter devices and monitor what actually gets through.
Different philosophies here. See my last post. I don't care to let people beat on the door until they get through. I would rather the night-watchman tazer the crackhead beating on the front window to my bank even though he may not be able to break the glass. Both approaches are valid.
More information is usually better IMHO.More information that allows you to have actionable intelligence is better. Alerts that go into a db just "Because"? Pointless.
Agreed. But this isn't pointless by any means. Depends on how you act upon intelligence. Matt
-- Joel Esler http://www.joelesler.net [m] _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor Matt Jonkman (Dec 18)