Dailydave mailing list archives
Re: Snorty snort snort
From: Rodney Thayer <rodney () canola-jones com>
Date: Wed, 19 Oct 2005 08:49:23 -0700
Aleksander P. Czarnowski wrote:
Another cool thing about NIDS vulnerabilities is how you can scan for it remotely without accessing local system. you can either try to exploit it or to crush snort. In the latter case how can you tell that is reallycrashed without accessing the snort or central console?This is why I just love producing exploits for such things :) Cheers,
Let's just think about this for a minute. Suppose I attack a NIDS. I do something exotic and hard, like, oh, say, writing Dave a check. This means I send (bad packets) through the main network path, and the NIDS, via it's tap, which may well be passive, starts coughing furballs. At this point I as a defender assume that you as the attacker are aware you now have a compromised box with a (possibly passive) tap on the main network but a fully functional network interface on some management and/or internal network. I assume you drop in some sort of exploit payload that will figure out how to phone home or crawl around on the management net and attack something soft (like a 2-factor token server running on Windows) and from there you'll phone home. Isn't that how you bad guys do it? I saw Swordfish on cable the other night - unfortunately they watered down the nightclub hacking scene. The response I WANT to see is that the security appliance is hardened, for some serious value of hardened. grsecurity, immunix, selinux, watchdog timers, some level of defense widgetry. Something. At least show me some interesting lies in the damn powerpoint presentation. And, I assume that watching the NIDS to see if it's alive is a thing my security infrastructure should be doing. One of my "this is way too easy" product review tricks is to ask security appliance vendors if they emit a log message when the system starts. This appears to be an exotic notion. I assumes some of you bad guys will pop a machine such that it reboots so a spurious startup message can be scored as a red flag in my anomaly-detecting log analyzer...
Current thread:
- Snorty snort snort Dave Aitel (Oct 19)
- <Possible follow-ups>
- RE: Snorty snort snort Aleksander P. Czarnowski (Oct 19)
- Re: Snorty snort snort Rodney Thayer (Oct 19)
- RE: Snorty snort snort Aleksander P. Czarnowski (Oct 19)
- Re: Snorty snort snort Rodney Thayer (Oct 19)
- RE: Snorty snort snort Aleksander P. Czarnowski (Oct 19)
- RE: Snorty snort snort Aleksander P. Czarnowski (Oct 19)