On Mon, 2002-02-11 at 21:34, Dave Sherman wrote: > I already run snort (and have since day one), and it has logged lots of IP > addresses and blocked them. snort doesn't "block" attackers. At least not without a 3d party module that sets iptables(or ipchains) rules. And it _is_ possible to spoof ones IP address. It's non-trivial, but can be done. It's a matter of sending cutom built packets. It's used when attacking servers that are configured to allow certain hosts access to certain IP addresses. I don't know the details of such attacks, but I know it's possible. Snort is good about having the ability to log such malformed packets and todays IP stacks are better about ignoring them (there's also packet checksums that need to be correct as well as sequence numbers) not to mention things like hogwash... -- Ben Lutgens http://people.sistina.com/~blutgens/ System Administrator Sistina Software Inc. "If you love someone, set them free. If they come home, set them on fire." - George Carlin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020211/ff7dd2d0/attachment.pgp