OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Frank Knobbe (fknobbe_at_knobbeits.com)
Date: Tue Dec 03 2002 - 14:29:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Tue, 2002-12-03 at 14:19, ams67 wrote:
    > Thank you for your clear explanation.
    > However, I still have a possible 'lame' question to ask. :-)
    > Please correct me if I am wrong. If I am the attacker and I do not want
    > my ip address blocked by SnortSam, I could lunch a syn-flood attack so I
    > achieve a kind of 'fail-open' status. In the meantime, I lunch the real
    > attack that will not be blocked as I managed to reach the threshold from
    > my previous syn-attack. In this way I can easily evade the functionality
    > of SnortSam.

    That is correct. If you know that an environment is using SnortSam, and
    the admin has the rollback mechanism enabled, then yes, you can pry (and
    hold) SnortSam open (your normal firewall rules still apply). There is
    no silver bullet for security. The way SnortSam works, I rather have it
    fail open than shut. It is designed to augment your security setup, not
    replace it. For me, it's perfect to blind scanners and prevent certain
    exploits.

    There are other devices, like WatchGuards Firebox, that will keep
    blocking (afaik) upon detection of a scan. They might be more
    susceptible to a DoS.

    > I understand that in security, nothing is foolproof, however I still
    > think that now tool like SnortSam or Guardian are still too 'fool' to be
    > used in a productive/operational environment.

    As I said, WatchGuard uses it in production. And yes, it may not be for
    every environment. Neither are Intrusion Protection Devices like
    Hogwash.

    The security tools, that we currently have, are all in its infancy.
    Except maybe firewalls/packet filters. IDS' still suck (except Snort ;)
    due to false positives. It all needs time to mature.

    Frank

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iQCVAwUAPe0UOb+0ijK5TGa5AQL9QgQA22nTW2m4nNM+RYFF7A+t3dODDLUj54VO
    wCnsPbvs+nK9Xew825JDjkzX3uFC3zyWtDMVsIJsA3+EiOM5TaP/z9sUSL/Qi/PO
    2ylIrB8daYeA9IoAg/bpRA4TOZs8uo/oAWV2QXfM89b8RhD78AdqH4lQ7cs7dM0X
    S74z3HSj8vg=
    =k0xO
    -----END PGP SIGNATURE-----

    -------------------------------------------------------
    This SF.net email is sponsored by: Microsoft Visual Studio.NET
    comprehensive development tool, built to increase your
    productivity. Try a free online hosted session at:
    http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users