[Snort-users] how to block an attacker.

Henry Sieff hsieff at ...519...
Wed Apr 4 12:35:15 EDT 2001


> -----Original Message-----
> From: Gregor Binder [mailto:gbinder at ...462...]
> Sent: Wednesday, April 04, 2001 11:28 AM
> To: Henry Sieff
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] how to block an attacker.
> 
> 
> Henry Sieff on Wed, Apr 04, 2001 at 10:42:43AM -0500:
> 
> Henry,
> 
> > If you did this (I toyed around with the idea by using a 
> perl proggie
> > which would check for certain kinds of events and 
> reconfigure my Cisco
> > ACL's based upon it) you would want to restrict yourself to actual
> > exploits where the source IP couldn't be spoofed without 
> rooting your
> > routers.)
> 
> using nemesis or something like it, you could produce a lot of
packets
> that trigger all kinds of different snort rules, and spoof the
source
> address with no problem. Doing some stateful filtering in 
> front of your
> sensor would help a little bit.

Hadn't thought of that, but I only did it for a little while, and it
was for snort sensors which were behind packet filters. I was
uncomfortable with the idea, as I said, and maybe, my subconscious was
aware of the scenario you described.

I also got syslog reports of the router changes, so such an attack
would've been quickly noticed. Although that just added another level
of complexity.

Henry




More information about the Snort-users mailing list