Assuming one has border router acls that protect against spoofed packets claiming to be from inside the local networks, what else can be done to mitigate this type of threat? Does ossec do any type of spoof detection?
Ken A. Pacific.Net
Jonathan Scheidell wrote:
I don't know if this has been discussed but I don't think it has. If you are running the active response I would recommend white listing the DNS root servers. If someone was to find out you were running any kind of automated blocker they could (or should if they were smart) spoof attack packets from the DNS root servers IP addresses. This would cause OSSEC (or whatever software your running) to temporarily block those IP's and essentially DOS yourself. If you can't make external DNS resolutions your not going to be able to do ANYTHING on the internet.Here is a list if anyone wants to cut and paste into their ossec.conf (in the <global> section) <white_list>198.41.0.4</white_list> <white_list>192.228.79.201</white_list> <white_list>192.33.4.12</white_list> <white_list>128.8.10.90</white_list> <white_list>192.203.230.10</white_list> <white_list>192.5.5.241</white_list> <white_list>192.112.36.4</white_list> <white_list>128.63.2.53</white_list> <white_list>192.36.148.17</white_list> <white_list>192.58.128.30</white_list> <white_list>193.0.14.129</white_list> <white_list>198.32.64.12</white_list> <white_list>202.12.27.33</white_list>Daniel: I would also recommend this be added to the default ossec.conf (with comments).
