IDS mailing list archives

Re: best ids placement?

From: Simon Adlem <sadlem () fotango com>
Date: Tue, 19 Aug 2003 10:56:56 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 18 Aug 2003 7:50 pm, Rob Shein may quite possibly have written:

Actually, this isn't accurate.  Just because an IDS doesn't have a two-way
connection on the wire doesn't mean that it cannot be compromised by
traffic it monitors.  For example, let's say you had box running an older
version of snort or tcpdump, with one of the vulnerabilities that were
found, hooked up to a wire via a tap.  You could theoretically root that
box, even if it had no other network connectivity besides that tap.  But
realistically speaking, an IDS is going to typically have connectivity via
another route; otherwise how can you do IP block lookups, googling, etc. to
determine more about attacks?    Furthermore, besides rooting, what if the
attacker merely wanted to knock the IDS offline for a bit...then it becomes
a lot more feasible and realistic as an attack.  So remember; taps are NOT
guarantee against attacks aimed at an IDS.  They make the IDS invisible,
but it doesn't cost much to squirt a few generic snort/tcpdump/whatever
else attacks onto the wire just in case.



HI Rob,

Thanks for your comments.

Interesting points there. 

Agreed that it's not a complete solution and the IDS can still be affected 
however, other than the DOS scenario that you mention, we find that the taps 
do make it harder, to detect and attack the IDS than if it was connected 
straight to the wire.

I don't tend to use the IDS box for googling, lookups etc. anyway. The IDS is 
a Linux box that just sits and does it thing and I do further analysis on my 
workstation. 


Take care


Simon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/QfRoAEPeBJNaHh0RAra3AJ9vuKCbT6G5nXH+7RFcGpExGi2g5QCdEhKT
9wyMHr3t+3n/zhS9NuV5G4M=
=2VSF
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the worldÂs premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------

Current thread:

Re: best ids placement? Simon Adlem (Aug 14)
- RE: best ids placement? Rob Shein (Aug 19)
  - Re: best ids placement? Simon Adlem (Aug 21)
  - Re: best ids placement? Joshua Krage (Aug 21)