Re: [Snort-users] Snort& Intrusion Prevention
This is a discussion on Re: [Snort-users] Snort& Intrusion Prevention within the Snort forums, part of the System Security and Security Related category; --=-oGe3zXiaNJ/dw1Z07+zU Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2004-06-02 at 08:10, ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-02-2004
|
|||
|
|||
Re: [Snort-users] Snort& Intrusion Prevention
--=-oGe3zXiaNJ/dw1Z07+zU Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2004-06-02 at 08:10, Maetzky, Steffen (Extern) wrote: > 2. If I use guardian or snortsam snort is still passiv and doesn't drop > packets but sessions are closed over a special period. > Guardian and snortsam reconfigure an active firewall directly. > -> DoS possible That's why I included countermeasures in Snortsam to avoid DoS conditions. Snortsam is a reactive system (as opposed to an inline, active system). The advantage is that you can do block all traffic to or from (or both) from that host. Besides the obvious "blocking all access to the host" type block, you can also perform isolation blocks. That means that it can do these things that you would do anyway -- isolating compromised hosts for later analysis -- just in an automated fashion. (Imagine your hacked web server getting quarantined as 4am automatically...). Or it can aid in policy enforcement where internal hosts get punished with a block from the Internet for certain actions. Or automatically block unknown new hosts. (I could go on as there are plenty more scenarios where Snortsam can be helpful). An inline-IPS can only block on it's own wire. Using Snortsam you could block one attacker on a multitude of firewalls. Consider this scenario: You have 20 Snort sensors and 8 firewalls, controlled by 5 Snortsam agents. If an intruder gets detected on any of the 20 sensors, he can be blocked on all 8 firewalls. Or consider an internal PC infected with a worm. If Snortsam detects it, it can isolate that workstation from the rest of the network in a snap. The ability to act upon more than just the monitored segment differentiates reactive systems like Snortsam from inline devices. Hope this helps. Regards, Frank --=-oGe3zXiaNJ/dw1Z07+zU Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAvf9OJjGc5ftAw8wRAv/9AKDbT/a6UWBXXak6IWGIaRUzJaRcFACfYJO4 f7QRNUC3FtNutMyFAgdMveY= =+XDF -----END PGP SIGNATURE----- --=-oGe3zXiaNJ/dw1Z07+zU-- ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
