Hosting Provided By

Re: [Snort-users] Snort's Blocking Capability?

From: Jason Haar <Jason.Haar(at)trimble.co.nz>
Date: Sun Mar 30 2003 - 05:13:16 EST

Erek Adams wrote:

>> * Could a setup on the hacker's machine not simply ignore
No need to rewrite the IP stack - e.g. the hacker could configure netfilter to just drop RSETS.
..However, pretty unlikely the attacked host is dropping them too...

But as you say - inline is the only real way of handling this reliably. Also note that "blocking" IDS can *really* sting you. I'm still smarting from two years ago when I allowed Snort to RSET CodeReds - totally killed one of our internal groups from uploading a particular PDF file to our DMZ. Apparently the CodeRed sig just happended to appear about 800K into the file :-) "I don't get it, the upload keeps failing at the same point..."

Be VERY careful with that sort of stuff. Virus-scanners have basically solved the FP problem due to recursive analysis and all sorts of double-checking - none of that is practical in an online IDS on 100M+ ethernet...

Jason

This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Sun Mar 30 05:42:23 2003

This message: [ Message body ]
Next message: Brei, Matt: "[Snort-users] Same src/dst"
Previous message: Patrick S. Harper: "Re: [Snort-users] Promiscuous mode on only one interface"
In reply to Erek Adams: "Re: [Snort-users] Snort's Blocking Capability?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 11:50:31 EDT