Re: dhcp assigned address and no ip on snort interface

[pbsarnac () ThoughtWorks com]

On Thu, Feb 21, 2002 at 05:57:18PM -0600, pbsarnac () ThoughtWorks com wrote:
> > aware of the risks when using this solution. According to
> > http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml
> > the pix is only vulnerable from the host specified in your snmp-server
host
> > config line, which should greatly reduce your risk, but if you should
> > definitely plan on upgrading to a patched version at some point.
>
> "Bzzzzzzzzt!"
>
> I'm a frayed knot. :-)
>
> Don't forget, SNMP uses UDP. Therefore the entire exploit can be
spoofed...
> [ignore the fact that the hacker has to successfully guess your snmp
> management stations IP address of course...]

Perhaps I should have said "somewhat reduce your risk".  As with any
security suggestion, you need to tailor this to your own environment and
weigh costs against benefits. If you're in a high security environment,
then you should probably be concerned about an insider (or an attacker with
a compromised machine on your internal network) sniffing for SNMP traffic
(or otherwise discovering your and using the discovered IP addresses to
launch spoofed attacks against your router.  According to the Cisco
advisory above, the worst that can happen with these vulnerabilities is a
DoS of your PIX (which fails closed, disallowing any traffic), which may or
may not be a significant security issue for your organization.

As always, mailing list postings (most especially mine!) should be read
with a careful eye and a skeptical attitude. :)

pat s.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users