OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ams67 (ams67_at_xtra.co.nz)
Date: Mon Dec 02 2002 - 17:02:09 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----Original Message-----
    From: Frank Knobbe [mailto:fknobbeknobbeits.com]
    Sent: Tuesday, 3 December 2002 11:43 a.m.
    To: ams67
    Cc: snort-userslists.sourceforge.net
    Subject: RE: [Snort-users] SHUN

    On Mon, 2002-12-02 at 15:47, ams67 wrote:
    > IMAO IDSs should not interfere with FWs. If I spoof my IP address with
    > your current, e.g. DNS server and send a forged packet with an attack
    > signature to your network protected by your IDS/FW integrated system I
    > can create an easy DoS by stopping legal and operational traffic.
    > That is really easy to accomplish (e.g. nmap -D your.good.dns.server,
    > your.good.external.router, etc..).

    Basically true, but you can minimize the risk of those conditions.
    SnortSam and Guardian for example have white-lists. Also, SnortSam can
    detect DoS conditions and undo recent blocks and sit idle for a while.

    Being able to DoS someone by spoofing DNS servers is becoming lame...
    (no offense, but that argument has been beaten to death...)

    Frank
    --------------------------------------------------------
    Of course, white list can minimize the risk of DoS, but it also increase
    the risk for not detecting an internal attack. Therefore, it is question
    to choose which is less risky...
    I personally prefer to leave job of detect network anomalies to an IDS,
    the job to filter unwanted packet to a FW and the job to decide what is
    right to stop to the skills of the security operator. The IDS
    technologies are still in a early stage before I can totally rely on it.
    I think now they are just good tools to 'help' to make decision.

    No offence taken, however I mentioned DNS and external router as a
    simple example. The fact it has been beaten to death does not change the
    level of potential threat.

    Tony

    -------------------------------------------------------
    This SF.net email is sponsored by: Get the new Palm Tungsten T
    handheld. Power & Color in a compact size!
    http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users