[Snort-users] SHUN

Matt Kettler mkettler at ...4108...
Tue Nov 26 10:57:02 EST 2002


Snort itself doesn't support this, but there are add on tools that do. For 
example hogwash.

You can also use logwatch to monitor your snort log and kick of shell 
scripts to do whatever you want..

IMNSHO however, automated reconfiguration of your firewall is fraught with 
danger:

         1) If you do automated shuning of IPs based on triggering of snort 
rules I can now DoS you off the net by spoofing attacks from all the root 
DNS server IP's.. now you've blocked them and won't be able to resolve DNS 
until you go to your firewall and remove the entries. I can add them back 
faster than you can remove them until you turn this feature of your snort 
box off.

         2) since your firewall can be configured automatically, this means 
the authentication mechanism to snort is stored in your snort box. If I can 
penetrate your snort box I can now reconfigure your firewall any way I want 
to suit my needs. This effectively widens your security risks unless you're 
positive the snort box cannot access the internet.

At 09:48 AM 11/26/2002 -0800, Mike Koponick wrote:
>Hello,
>
>Does SNORT support adding commands to firewalls? As an example, if I
>received a BAD packet, I would like to add a filter based on that
>information to my firewall. I understand that SNORT cannot decide which
>packets are bad, but I would think we would be able to trace an issue once
>the command has been executed.
>
>Any ideas?
>
>
>Thanks in advance,
>
>Mike





More information about the Snort-users mailing list