[Snort-users] SHUN

Alberto Gonzalez albertg at ...7149...
Tue Dec 3 03:36:05 EST 2002


The white-list is a basic "Do Not Block" list. I block anything that 
isn't a SYN at the fw.
People think that an IDS is their answer to everything, which in fact it 
isn't. Its 1 component
in your networks defense against intruders. It *should* work 
in-conjunction with other devices
and or send logs to a central mgnt console. Thats why I like snortsam, 
yea its an attempt to be a
All-In-One type thing, but I like it.

Cheers!

    - Alberto *Yawn* Gonzalez.

ams67 wrote:

>-----Original Message-----
>  
>
>>From: snort-users-admin at lists.sourceforge.net
>>    
>>
>[mailto:snort-users->admin at lists.sourceforge.net] On Behalf Of Alberto
>Gonzalez
>  
>
>>Sent: Tuesday, 3 December 2002 8:38 p.m.
>>Cc: snort-users at lists.sourceforge.net
>>Subject: Re: [Snort-users] SHUN
>>
>>Maybe I missed something. but what does a white-list of IP's have todo 
>>with missing internal attacks?
>>Yes, snortsam does active blocking. doesn't mean the engine it uses 
>>stops alerting on malicious packets.
>>You configure the rules to use with snortsam. YOU have control. Just 
>>configure snortsam (which uses snort)
>>to listen on the internal interface, or am I just extremly tired?
>>    
>>
>
>Perhaps I am the one who is missing something. I do not know snortsam (I
>will try it for sure). I thought that a white-list is the list of ip
>addresses that snortsam will not block and 'analyze' as snort does when
>you put the DNS ip address to avoid false positive. However I am would
>like to understand how snortsam can manage a syn flood attack where the
>ip source is randomly generate for each packet sent. (e.g. synk4).
>Filling up the logs, and blocking hundreds o thousand of random ip
>address would not be consider a successful DoS?
>
>Tony
>
>
>
>
>
>  
>

-- 
The secret to success is to start from scratch and keep on scratching.






More information about the Snort-users mailing list