OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Frank Knobbe (fknobbe_at_knobbeits.com)
Date: Tue Dec 03 2002 - 09:28:44 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Tue, 2002-12-03 at 00:28, ams67 wrote:

    > Perhaps I am the one who is missing something. I do not know snortsam (I
    > will try it for sure). I thought that a white-list is the list of ip
    > addresses that snortsam will not block and 'analyze'

    Tony,

    again, Snort and SnortSam are two different programs. Snort still does
    analysis. It's just that SnortSam doesn't block white-listed IP's. I
    think that's what you mean though.

    > However I am would
    > like to understand how snortsam can manage a syn flood attack where the
    > ip source is randomly generate for each packet sent. (e.g. synk4).
    > Filling up the logs, and blocking hundreds o thousand of random ip
    > address would not be consider a successful DoS?

    There is no fancy AI involved. SnortSam uses a simple threshold
    mechanism to detect 'attacks'. If SnortSam exceeds a defineable amount
    of blocking requests in a definable amount of time, it will unblock the
    last <definable> IP addresses, and then just wait until the current rate
    of blocking requests receeds below the threshold level. It then waits an
    additional definable time before it acts on blocking requests again.

    So under normal conditions, you may see a maximum of, for example, 5
    blocks (read, unique IP's) per 10 seconds. If you try to DoS SnortSam
    with your syn-flood attack, you will probably exceed, 10 blocks ber 10
    secs (let's use that as an example for the set threshold). SnortSam will
    then unblock the last <x> blocks it 'mistakenly' blocked, waits until
    you quit DoS'ing the system. It then waits a time to make sure you're
    really gone, and then get's back to work.

    Not a fool-proof method, but it seems to work pretty good.

    Regards,
    Frank

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iQCVAwUAPezNrL+0ijK5TGa5AQKWTAQAykGVjzboROslnVNnXHyfv1ACW9Bfhfdl
    MI9vScfSdnaHGVXF+Hki51xN7oWKDe53NtFIsS+EZ7xPYi1Y/oed+T+smGV0VQbl
    PBbdwuaIvEpYkZo72Y96a0SyxeuvJ1h0Vq1DF8tE6P3F8nfyF+47Sxf93JKMhV4V
    ygbgU+9DqHk=
    =9Mvr
    -----END PGP SIGNATURE-----

    -------------------------------------------------------
    This SF.net email is sponsored by: Get the new Palm Tungsten T
    handheld. Power & Color in a compact size!
    http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users