[Snort-devel] IDS fingerprinting techniques & Snort's FlexR esponse...

agetchel at ...358... agetchel at ...358...
Wed Aug 22 23:28:21 EDT 2001


	Agreed.  The best you can do at a high-traffic site is to have a
passive IDS which would talk to a firewall that would drop the incoming
connections.  While this is cool functionality to have, it's something you
have to be _very_ careful about.  For instance...
	A company here in Kentucky was using their IDS to tell their
firewall to block all IP addresses it saw a CodeRed detect come in from.
Needless to say, their firewall crashed about four minutes after the worm
started to really pick up steam.  Doh! =)
	This same company quickly built a Snort box (per my recommendation),
and using flexresp, successfully kept the worm from nailing them until they
could get all of their IIS boxes patched.  This is one case where resetting
connections was completely necessary, and saved the day.  Marty, where do I
send testimonials about Snort? =)

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020 ext. 225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/


> -----Original Message-----
> From: Brian Caswell [mailto:bmc at ...227...]
> Sent: Wednesday, August 22, 2001 11:21 PM
> To: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] IDS fingerprinting techniques & Snort's
> FlexResponse...
> 
> 
> tlewis at ...255... wrote:
> > Personally, I think that the answer is to drop packets 
> rather than trying
> > to fool the attacker into stopping.  If you had a flexible 
> rule system,
> > then you could drop packets whose ttl is >= the ttl required for it
> > to get to the destination.  That way, traceroutes would go 
> right up to
> > the target of the attack and then die, with the attacker 
> having no clue
> > which box in the middle is doing the filtering.
> 
> Except in many enviorments, having a NIDS as a gateway is not 
> practical
> solution.  I don't agree with shooting down a session, but there are
> cases where it is needed.
> 
> -- 
> Brian Caswell
> The MITRE Corporation
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list