[Snort-users] SHUN

Alberto Gonzalez albertg at ...7149...
Mon Dec 2 20:36:04 EST 2002

ams67 wrote:

>Of course, white list can minimize the risk of DoS, but it also increase
>the risk for not detecting an internal attack. Therefore, it is question
>to choose which is less risky...
>I personally prefer to leave job of detect network anomalies to an IDS,
>the job to filter unwanted packet to a FW and the job to decide what is
>right to stop to the skills of the security operator. The IDS
>technologies are still in a early stage before I can totally rely on it.
>I think now they are just good tools to 'help' to make decision.
>No offence taken, however I mentioned DNS and external router as a
>simple example. The fact it has been beaten to death does not change the
>level of potential threat.

Maybe I missed something. but what does a white-list of IP's have todo 
with missing internal attacks?
Yes, snortsam does active blocking. doesn't mean the engine it uses 
stops alerting on malicious packets.
You configure the rules to use with snortsam. YOU have control. Just 
configure snortsam (which uses snort)
to listen on the internal interface, or am I just extremly tired?

    - Alberto

The secret to success is to start from scratch and keep on scratching.

More information about the Snort-users mailing list