Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snorty snort snort

From: Rodney Thayer <rodney () canola-jones com>
Date: Wed, 19 Oct 2005 08:49:23 -0700
Aleksander P. Czarnowski wrote:

Another cool thing about NIDS vulnerabilities is how you can scan for it
remotely without accessing local system. you can either try to exploit
it or to crush snort. In the latter case how can you tell that is really
crashed without accessing the snort or central console? 
This is why I just love producing exploits for such things :)
Cheers,


Let's just think about this for a minute.  Suppose I attack a NIDS.
I do something exotic and hard, like, oh, say, writing Dave a check.
This means I send (bad packets) through the main network path,
and the NIDS, via it's tap, which may well be passive, starts coughing
furballs.

At this point I as a defender assume that you as the attacker are aware
you now have a compromised box with a (possibly passive) tap on the
main network but a fully functional network interface on some management
and/or internal network.  I assume you drop in some sort of exploit
payload that will figure out how to phone home or crawl around on the
management net and attack something soft (like a 2-factor token server
running on Windows) and from there you'll phone home.

Isn't that how you bad guys do it?  I saw Swordfish on cable the other
night - unfortunately they watered down the nightclub hacking scene.

The response I WANT to see is that the security appliance is hardened,
for some serious value of hardened.  grsecurity, immunix, selinux,
watchdog timers, some level of defense widgetry.  Something.  At least show
me some interesting lies in the damn powerpoint presentation.  And, I assume that
watching the NIDS to see if it's alive is a thing my security infrastructure
should be doing.  One of my "this is way too easy" product review tricks
is to ask security appliance vendors if they emit a log message when the
system starts.  This appears to be an exotic notion.  I assumes some of
you bad guys will pop a machine such that it reboots so a spurious startup
message can be scored as a red flag in my anomaly-detecting log analyzer...
Previous By Date Next
Previous By Thread Next

Current thread: