Snort mailing list archives
Can Snort Dectec R2L attack?
From: KFC <chong238803 () yahoo com>
Date: Mon, 4 Jun 2001 01:58:59 -0700 (PDT)
Dear All... Form my knowledgment , Snort is "Grep Network IDS". It only can detect attack by sniff & match, Right? Well, I read the paper " IDS Evaluation program 1998 by MIT lincoln Lab, DARPA" ,they classify attack into 4 types : Denial of service (DoS) ,probe ,user to root (u2r) , and remote to local (r2l). Remote to Local attack - Attack by unauthroize user form outside system to hijack Privileged - is very hurmful attack . Normally on UNIX, r2l attacking will appear in network priviledged process/program service i.e. ftpd, telnetd, fingerd etc. Attacker will use some vulnerability of that program such a : Buffer overflow , Validation Input (PHF attack in CGI) , Trojan , backdoor, In snort I see some rule that can detect BOF , PHF attack by matching with data in auditing packets. IMHO , R2L and U2R can detect by monitor by HIDS like:Saint Jude Linux Kernel Module. This way , You can detect when you was attacked. I think Network IDS is first line defence to detect before attacking to Process..... Ok,,, I have some question about snort, network detection and R2L attack: Q1: Have other rules can detect R2L attack in snort? Q2 : Which and How Network Information or NIDS to implement to detect R2L? Have any paper/tool/information talk about this? Sorry , I am not good in english and feel free to comment my message. Regrads Chowalit Tinny --------------------------------- Do You Yahoo!? Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
Current thread:
- Can Snort Dectec R2L attack? KFC (Jun 04)