OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alberto Gonzalez (albertg_at_cerebro.violating.us)
Date: Tue Dec 03 2002 - 08:38:00 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The white-list is a basic "Do Not Block" list. I block anything that
    isn't a SYN at the fw.
    People think that an IDS is their answer to everything, which in fact it
    isn't. Its 1 component
    in your networks defense against intruders. It *should* work
    in-conjunction with other devices
    and or send logs to a central mgnt console. Thats why I like snortsam,
    yea its an attempt to be a
    All-In-One type thing, but I like it.

    Cheers!

        - Alberto *Yawn* Gonzalez.

    ams67 wrote:

    >-----Original Message-----
    >
    >
    >>From: snort-users-adminlists.sourceforge.net
    >>
    >>
    >[mailto:snort-users->adminlists.sourceforge.net] On Behalf Of Alberto
    >Gonzalez
    >
    >
    >>Sent: Tuesday, 3 December 2002 8:38 p.m.
    >>Cc: snort-userslists.sourceforge.net
    >>Subject: Re: [Snort-users] SHUN
    >>
    >>Maybe I missed something. but what does a white-list of IP's have todo
    >>with missing internal attacks?
    >>Yes, snortsam does active blocking. doesn't mean the engine it uses
    >>stops alerting on malicious packets.
    >>You configure the rules to use with snortsam. YOU have control. Just
    >>configure snortsam (which uses snort)
    >>to listen on the internal interface, or am I just extremly tired?
    >>
    >>
    >
    >Perhaps I am the one who is missing something. I do not know snortsam (I
    >will try it for sure). I thought that a white-list is the list of ip
    >addresses that snortsam will not block and 'analyze' as snort does when
    >you put the DNS ip address to avoid false positive. However I am would
    >like to understand how snortsam can manage a syn flood attack where the
    >ip source is randomly generate for each packet sent. (e.g. synk4).
    >Filling up the logs, and blocking hundreds o thousand of random ip
    >address would not be consider a successful DoS?
    >
    >Tony
    >
    >
    >
    >
    >
    >
    > 

    -- 
The secret to success is to start from scratch and keep on scratching.

    -------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users