[Snort-users] [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor

Matt Jonkman jonkman at ...4024...
Thu Dec 18 15:42:05 EST 2008

Joel Esler wrote:
>> The more suspicious
>> things they do the more points they get until they cross a threshold  
>> and
>> get blocked. So properly configured we could detect someone probing  
>> for
>> pages to attack before they got to the sql injection.
> Yeah, that's great, until you start blocking real customers.  End of  
> that product.

No, then you adjust to not block real customers. We've been doing so for
quite a long time and blocking IPS's are still around.

>> Because I'm not yet sure that everything coming at me from tor is bad.
>> And I doubt that I'll be able to say everything from there is bad. But
>> it tells me something about what's coming at me and helps me make a
>> block decision.
> Exactly my point.  Just because something *can* alert, doesn't mean it  
> should.  Block at the perimeter devices and monitor what actually gets  
> through.

Different philosophies here. See my last post. I don't care to let
people beat on the door until they get through. I would rather the
night-watchman tazer the crackhead beating on the front window to my
bank even though he may not be able to break the glass. Both approaches
are valid.

>> More information is usually better IMHO.
> More information that allows you to have actionable intelligence is  
> better.  Alerts that go into a db just "Because"?  Pointless.

Agreed. But this isn't pointless by any means. Depends on how you act
upon intelligence.


> --
> Joel Esler
> [m]
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...14333...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Snort-users mailing list