RE: How does Snort protect itself ?

["Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>]

I agree 100% with twig les, best way to protect the sensor is by harnding
the OS (install only mini required packages for the sensor to function)
apply patches, close all ports and leave only thats required, use IPless
interface and one admin interface which u could ssh to connect to it, run
file integrity tools like AID (similar to Tripwire but its free). 

Best Regards

Ohanes Semerjian

PGP kEY 
6604 2A46 E64F BEBF A4B7  9D01 9E08 399C 9D45 3254


-----Original Message-----
From: twig les [mailto:twigles () yahoo com]
Sent: Tuesday, 10 September 2002 13:43
To: Vinay A. Mahadik; KD Rajkumar
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] How does Snort protect itself ?


I wouldn't use snort to protect the sensor.  On top of
what V. wrote, Snort protects *itself* by running as a
normal user with no shell, and by not using shoddy
programming (no buffer overflows on bugtraq :).

Using Snort to protect your sensor is like using the
back of a screwdriver as a hammer.  It would be a
better idea to do the traditional grunt work of
hardening the OS by pruning useless services, patching
it, and firewalling it.


--- "Vinay A. Mahadik" <VAMahadik () lbl gov> wrote:
> KD Rajkumar wrote:
>
> > Hi,
> >
> > How does Snort protect itself against attacks. If
> an attacker is trying 
> > to take down the IDS itself, is Snort capable of
> detecting and thwarting 
> > it ?
>
> Briefly.. although perhaps not optimized for
> self-defense, there are 
> mechanisms like 'memcap' (and consequent aggressive
> pruning, and random 
> nuking of states), and 'timeout' for preprocessors
> like frag2, stream4. 
> There's '-z est' defense against stick/snot attacks.
> For evasion 
> attacks, there are dedicated preprocessors and
> preprocessor options, and 
> some internal source code tweaks like the 1.9.x's
> pseudo-random 
> FLUSH_POINTs in stream4. These are just pointers and
> not a complete 
> list.. It would be good to have a separate
> discussion in the manual 
> about these..
>
> --
> Vinay A. Mahadik
> Summer Intern
> System & Network Security Group
> Lawrence Berkeley National Lab
> (510) 495 2618
-------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of
> that same old
> cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:

>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
In remembrance
www.osdn.com/911/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users