Re: OT: An Idea for an IDS

To: debian-security@lists.debian.org
Subject: Re: OT: An Idea for an IDS
From: nicole <colby@wsu.edu>
Date: Tue, 1 Jul 2003 09:30:17 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.4.44.0307010923540.16314-100000@ghettobox.dhs.org>
Reply-to: nicole <colby@wsu.edu>
In-reply-to: <[🔎] 20030701023915.GE1090@alcor.net>

At 22:39 on Jun 30, Matt Zimmerman shook the earth with:

> On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
>
> > Are there any projects out there to do this right now.  If not, is this
> > a good idea?  If it is who would be a person/group that would be
> > qualified and have the time/interest to develop it.
>
> Not really a good idea.  Consider what happens when someone forges the IP
> addresses.

You can combat some of this with a simple list of IP
addresses/hostnames/networks that should never under any circumstances be
blocked.

Another problem seems to be that script kiddies aren't always doing recon
before they do an attack, it seems to be fairly common lately to just run
a series of scripted attacks against a range of IPs (so if you are
vulnerable, you could be exploited at the same time the IDS detects the
attack, if it is detected). Just need to be sure that your IDS and
signatures/detection scheme is up to date, and also possibly use a TCP
reset when you do the block.

SnortSam does something just like this for commercial products and also
IPtables (among other packet filtering schemes), they do include the
ability to timeout a block and to whitelist IPs.

http://www.snortsam.net

-nicole

Reply to:

References:
- Re: OT: An Idea for an IDS
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: OT: An Idea for an IDS
Next by Date: Re: Strongest linux
Previous by thread: Re: OT: An Idea for an IDS
Next by thread: Re: OT: An Idea for an IDS
Index(es):
- Date
- Thread