[Snort-users] SHUN

Frank Knobbe fknobbe at ...652...
Tue Nov 26 13:12:04 EST 2002

On Tue, 2002-11-26 at 12:58, Matt Kettler wrote:
>          1) If you do automated shuning of IPs based on triggering of snort 
> rules I can now DoS you off the net by spoofing attacks from all the root 
> DNS server IP's.. now you've blocked them and won't be able to resolve DNS 
> until you go to your firewall and remove the entries. I can add them back 
> faster than you can remove them until you turn this feature of your snort 
> box off.

That's why SnortSam, but also Guardian I believe, support a white list.
In addition, SnortSam can detect a DoS by means of a blocking threshold

>          2) since your firewall can be configured automatically, this means 
> the authentication mechanism to snort is stored in your snort box. If I can 
> penetrate your snort box I can now reconfigure your firewall any way I want 
> to suit my needs. This effectively widens your security risks unless you're 
> positive the snort box cannot access the internet.

A valid point. But it is addresses when IDS sensors are configured to
operate in stealth mode, by using taps, ro-cables, IP less interfaces.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021126/63a73539/attachment.sig>

More information about the Snort-users mailing list