[Dshield] Looking for Beta Testers

Dragos Ruiu dr at kyx.net
Wed Jun 5 16:04:22 GMT 2002


Woop Woop! Danger Will Robinson.

There are some inherently problematic issues with a send the packet
with the alert output approach.

First is the lack of anonymization and potential disclosure issues
sensitive sites will have with this.  Don't expect much participation
from sites that process sensitive info.

Second is the traffic load.  I hope you have the mother of all internet2
links to be able to handle the traffic load a few hosts doing wide scans
that triggers a lot of alerts create.

Third is the DOS potential.  You will be creating an interesting traffic
mirror.  A clever attacker may figure out how to trigger off alerts
not only on inbound packets, but the outbound packet may trigger as
well if not compensated for. Uh-Oh... :-)

Care is advised,
--dr

P.s. Why do you need a snort plugin for this? The snort unified output 
system seems like it does everything you need including providing binary
packets with alerts.  You more likely need a barnyard plug-in and a
cron job, imho.

On Tue, 4 Jun 2002 16:01:47 -0400
Johannes Ullrich <jullrich at euclidian.com> wrote:

> 
> yes. There is a beta version and a number of people are testing it.
> I had to put it on hold for the last couple of weeks due to some
> other activities with higher priority :-( ... But I hope to pick up
> on it soon.
> 
> 
> > On Wednesday 17 April 2002 3:23 pm, Johannes B. Ullrich wrote:
> > > We are moving ahead on DShield, TsNG (The Snort Generation).
> > > The goal is to setup a snort plugin to report full packet content
> > > in more or less real time.
> > >
> > 
> > did anything happen with this?

-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
       0 = 1 , for large values of zero and small values of one.




More information about the list mailing list