[Snort-users] SHUN

ams67 ams67 at ...3655...
Mon Dec 2 15:03:02 EST 2002


-----Original Message-----
From: Frank Knobbe [mailto:fknobbe at ...652...] 
Sent: Tuesday, 3 December 2002 11:43 a.m.
To: ams67
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] SHUN

On Mon, 2002-12-02 at 15:47, ams67 wrote:
> IMAO IDSs should not interfere with FWs. If I spoof my IP address with
> your current, e.g. DNS server and send a forged packet with an attack
> signature to your network protected by your IDS/FW integrated system I
> can create an easy DoS by stopping legal and operational traffic. 
> That is really easy to accomplish (e.g. nmap -D your.good.dns.server,
> your.good.external.router, etc..).

Basically true, but you can minimize the risk of those conditions.
SnortSam and Guardian for example have white-lists. Also, SnortSam can
detect DoS conditions and undo recent blocks and sit idle for a while.

Being able to DoS someone by spoofing DNS servers is becoming lame...
(no offense, but that argument has been beaten to death...)

Frank
--------------------------------------------------------
Of course, white list can minimize the risk of DoS, but it also increase
the risk for not detecting an internal attack. Therefore, it is question
to choose which is less risky...
I personally prefer to leave job of detect network anomalies to an IDS,
the job to filter unwanted packet to a FW and the job to decide what is
right to stop to the skills of the security operator. The IDS
technologies are still in a early stage before I can totally rely on it.
I think now they are just good tools to 'help' to make decision.

No offence taken, however I mentioned DNS and external router as a
simple example. The fact it has been beaten to death does not change the
level of potential threat.

Tony





More information about the Snort-users mailing list