Re: OT: An Idea for an IDS

To: debian-security@lists.debian.org
Subject: Re: OT: An Idea for an IDS
From: Christoph Haas <email@christoph-haas.de>
Date: Tue, 1 Jul 2003 16:34:35 +0200
Message-id: <[🔎] 20030701143435.GA10475@torf.workaround.org>
Mail-followup-to: Christoph Haas <email@christoph-haas.de>, debian-security@lists.debian.org
In-reply-to: <[🔎] 20030701102233.7d0970b1.volker.tanger@discon.de>
References: <20030630223833.GA25418@zionlth.org> <[🔎] 20030701102233.7d0970b1.volker.tanger@discon.de>

On Tue, Jul 01, 2003 at 10:22:33AM +0200, Volker Tanger wrote:
> ...which is the official license to shoot yourself into the foot. What
> happens if I send you a forged, suspicious packet with source-IP equal
> to the IP address of your gateway router, your DNS server, your internal
> system(s), ...

This is not necessarily a serious problem. In case of using Snort as an
IDS you can make it send alerts only for established TCP sessions. You
are right when you assume that a single IP packet with a spoofed source
address makes your system go nuts. However running snort with options
"-z est" does exactly this. It's very hard (if not hardly possible) to
spoof established TCP sessions.

I was already thinking about packaging "guardian" which creates
iptables/ipchains rules for every established connection which looks
dangerous. Unfortunately the quality of the upstream package is
currently 'garbage'.

In addition any script doing such dynamic blocking of other hosts should
be able to know which network is friend and which is foe. :)

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--                3,41         All

Reply to:

References:
- Re: OT: An Idea for an IDS
  - From: "Volker Tanger" <volker.tanger@discon.de>

Prev by Date: Strongest linux
Next by Date: Re: OT: An Idea for an IDS
Previous by thread: Re: OT: An Idea for an IDS
Next by thread: Re: OT: An Idea for an IDS
Index(es):
- Date
- Thread