[Snort-users] SHUN

Frank Knobbe fknobbe at ...652...
Mon Dec 2 14:44:04 EST 2002


On Mon, 2002-12-02 at 15:47, ams67 wrote:
> IMAO IDSs should not interfere with FWs. If I spoof my IP address with
> your current, e.g. DNS server and send a forged packet with an attack
> signature to your network protected by your IDS/FW integrated system I
> can create an easy DoS by stopping legal and operational traffic. 
> That is really easy to accomplish (e.g. nmap -D your.good.dns.server,
> your.good.external.router, etc..).

Basically true, but you can minimize the risk of those conditions.
SnortSam and Guardian for example have white-lists. Also, SnortSam can
detect DoS conditions and undo recent blocks and sit idle for a while.

Being able to DoS someone by spoofing DNS servers is becoming lame...
(no offense, but that argument has been beaten to death...)

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021202/56bf5621/attachment.sig>


More information about the Snort-users mailing list