fknobbe at ...652...
Tue Nov 26 13:12:04 EST 2002
On Tue, 2002-11-26 at 12:58, Matt Kettler wrote:
> 1) If you do automated shuning of IPs based on triggering of snort
> rules I can now DoS you off the net by spoofing attacks from all the root
> DNS server IP's.. now you've blocked them and won't be able to resolve DNS
> until you go to your firewall and remove the entries. I can add them back
> faster than you can remove them until you turn this feature of your snort
> box off.
That's why SnortSam, but also Guardian I believe, support a white list.
In addition, SnortSam can detect a DoS by means of a blocking threshold
> 2) since your firewall can be configured automatically, this means
> the authentication mechanism to snort is stored in your snort box. If I can
> penetrate your snort box I can now reconfigure your firewall any way I want
> to suit my needs. This effectively widens your security risks unless you're
> positive the snort box cannot access the internet.
A valid point. But it is addresses when IDS sensors are configured to
operate in stealth mode, by using taps, ro-cables, IP less interfaces.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 307 bytes
Desc: This is a digitally signed message part
More information about the Snort-users