drKYX.NET

• Next message: Frank Knobbe: "Re: False Sense of Security?"
• Previous message: Brian Caswell: "Re: False Sense of Security?"
• In reply to: Frank Knobbe: "Re: False Sense of Security?"
• Next in thread: Bennett Todd: "Re: False Sense of Security?"
• Reply: Dragos Ruiu: "Re: False Sense of Security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 16 Nov 2000, Frank Knobbe wrote:
> That depends. You can have _your systems_ react to it. For example,
> I'm running snort as an IDS inside the network and as an ADS in front
> of the firewall. Any source that tries something that they shouldn't
> (i.e. simply portscan) will trigger an event that automatically
> reconfigures the firewall so that the source is completely blocked
> for a specified time.
>
> Commonly you have some services open, for example SMTP or web. If
> someone scans your machine, you can have the firewall close all ports
> (incl. SMTP) for that source to avoid any nasties coming from that
> source. Just like that flower that closes when you touch it (Mimose?)

Uhm.... I see.

And if I spoof an attack as coming from your default gateway? Or your
mail/pop server...

Autoresponse/autoblock functions should be considered "inherently dangerous,"
imho. It's like wiring up a shotgun to your unattended burglar alarm. (Ok, I
conceed exaggeration here. ;-) The flexresp feature of snort is one
I lament and think ought to have "sutable only for mature viewers"
warnings... :-)

What's your IP address again? ... ;-)

cheers,
--dr

• Next message: Frank Knobbe: "Re: False Sense of Security?"
• Previous message: Brian Caswell: "Re: False Sense of Security?"
• In reply to: Frank Knobbe: "Re: False Sense of Security?"
• Next in thread: Bennett Todd: "Re: False Sense of Security?"
• Reply: Dragos Ruiu: "Re: False Sense of Security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]