OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ams67 (ams67_at_xtra.co.nz)
Date: Tue Dec 03 2002 - 14:19:50 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Frank

    Thank you for your clear explanation.
    However, I still have a possible 'lame' question to ask. :-)
    Please correct me if I am wrong. If I am the attacker and I do not want
    my ip address blocked by SnortSam, I could lunch a syn-flood attack so I
    achieve a kind of 'fail-open' status. In the meantime, I lunch the real
    attack that will not be blocked as I managed to reach the threshold from
    my previous syn-attack. In this way I can easily evade the functionality
    of SnortSam.
    I understand that in security, nothing is foolproof, however I still
    think that now tool like SnortSam or Guardian are still too 'fool' to be
    used in a productive/operational environment.
    Probably until the TCP/IP protocol is not rewritten with 'security' in
    mind, the attackers will always be one-step forward...

    Regards

    Tony

    -----Original Message-----
    From: Frank Knobbe [mailto:fknobbeknobbeits.com]
    Sent: Wednesday, 4 December 2002 4:29 a.m.
    To: ams67
    Cc: snort-userslists.sourceforge.net
    Subject: RE: [Snort-users] SHUN

    >Tony,
    >
    >again, Snort and SnortSam are two different programs. Snort still does
    >analysis. It's just that SnortSam doesn't block white-listed IP's. I
    >think that's what you mean though.
    >
    >There is no fancy AI involved. SnortSam uses a simple threshold
    >mechanism to detect 'attacks'. If SnortSam exceeds a defineable amount
    >of blocking requests in a definable amount of time, it will unblock the
    >last <definable> IP addresses, and then just wait until the current
    rate
    >of blocking requests receeds below the threshold level. It then waits
    an
    >additional definable time before it acts on blocking requests again.
    >
    >So under normal conditions, you may see a maximum of, for example, 5
    >blocks (read, unique IP's) per 10 seconds. If you try to DoS SnortSam
    >with your syn-flood attack, you will probably exceed, 10 blocks ber 10
    >secs (let's use that as an example for the set threshold). SnortSam
    will
    >then unblock the last <x> blocks it 'mistakenly' blocked, waits until
    >you quit DoS'ing the system. It then waits a time to make sure you're
    >really gone, and then get's back to work.
    >
    >Not a fool-proof method, but it seems to work pretty good.
    ---------------------

    -------------------------------------------------------
    This SF.net email is sponsored by: Microsoft Visual Studio.NET
    comprehensive development tool, built to increase your
    productivity. Try a free online hosted session at:
    http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users