[Snort-users] how to block an attacker.

Gregor Binder gbinder at ...462...
Wed Apr 4 12:28:15 EDT 2001


Henry Sieff on Wed, Apr 04, 2001 at 10:42:43AM -0500:

Henry,

> If you did this (I toyed around with the idea by using a perl proggie
> which would check for certain kinds of events and reconfigure my Cisco
> ACL's based upon it) you would want to restrict yourself to actual
> exploits where the source IP couldn't be spoofed without rooting your
> routers.)

using nemesis or something like it, you could produce a lot of packets
that trigger all kinds of different snort rules, and spoof the source
address with no problem. Doing some stateful filtering in front of your
sensor would help a little bit.

Regards,

-- 
Gregor Binder       <gregor.binder at ...462...>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55




More information about the Snort-users mailing list