Snort mailing list archives

Re: SHUN

From: Alberto Gonzalez <albertg () cerebro violating us>
Date: Tue, 03 Dec 2002 06:38:00 -0800

The white-list is a basic "Do Not Block" list. I block anything thatisn't a SYN at the fw.People think that an IDS is their answer to everything, which in fact itisn't. Its 1 componentin your networks defense against intruders. It *should* workin-conjunction with other devicesand or send logs to a central mgnt console. Thats why I like snortsam,yea its an attempt to be a

All-In-One type thing, but I like it.

Cheers!

   - Alberto *Yawn* Gonzalez.

ams67 wrote:

-----Original Message-----

From: snort-users-admin () lists sourceforge net

[mailto:snort-users->admin () lists sourceforge net] On Behalf Of Alberto
Gonzalez

Sent: Tuesday, 3 December 2002 8:38 p.m.
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] SHUN
Maybe I missed something. but what does a white-list of IP's have todowith missing internal attacks?Yes, snortsam does active blocking. doesn't mean the engine it usesstops alerting on malicious packets.You configure the rules to use with snortsam. YOU have control. Justconfigure snortsam (which uses snort)
to listen on the internal interface, or am I just extremly tired?


Perhaps I am the one who is missing something. I do not know snortsam (I
will try it for sure). I thought that a white-list is the list of ip
addresses that snortsam will not block and 'analyze' as snort does when
you put the DNS ip address to avoid false positive. However I am would
like to understand how snortsam can manage a syn flood attack where the
ip source is randomly generate for each packet sent. (e.g. synk4).
Filling up the logs, and blocking hundreds o thousand of random ip
address would not be consider a successful DoS?

Tony


--
The secret to success is to start from scratch and keep on scratching.




-------------------------------------------------------

This SF.net email is sponsored by: Get the new Palm Tungsten Thandheld. Power & Color in a compact size!http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: SHUN, (continued)
- - - Re: SHUN Matt Kettler (Nov 26)
    - Re: SHUN Frank Knobbe (Nov 26)
    - RE: SHUN Mike Koponick (Nov 26)
    - RE: SHUN ams67 (Dec 02)
    - RE: SHUN Frank Knobbe (Dec 02)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 02)
    - Re: SHUN Frank Knobbe (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)
    - RE: SHUN ams67 (Dec 02)
    - Re: SHUN Alberto Gonzalez (Dec 03)
    - RE: SHUN Frank Knobbe (Dec 03)
    - RE: SHUN ams67 (Dec 03)
    - RE: SHUN Frank Knobbe (Dec 03)
- RE: Alerting and Reporting tools Scott, Joshua (Nov 26)