Re: How does Snort protect itself ?

["KD Rajkumar" <koderma () hotmail com>]

I think you misunderstood my question. I wasn't asking if one could use 
Snort to protect Snort.


> From: twig les <twigles () yahoo com>
> To: "Vinay A. Mahadik" <VAMahadik () lbl gov>, KD Rajkumar 
> <koderma () hotmail com>
> CC: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] How does Snort protect itself ?
> Date: Mon, 9 Sep 2002 20:42:47 -0700 (PDT)
>
> I wouldn't use snort to protect the sensor.  On top of
> what V. wrote, Snort protects *itself* by running as a
> normal user with no shell, and by not using shoddy
> programming (no buffer overflows on bugtraq :).
>
> Using Snort to protect your sensor is like using the
> back of a screwdriver as a hammer.  It would be a
> better idea to do the traditional grunt work of
> hardening the OS by pruning useless services, patching
> it, and firewalling it.
>
>
> --- "Vinay A. Mahadik" <VAMahadik () lbl gov> wrote:
> > KD Rajkumar wrote:
> >
> > > Hi,
> > >
> > > How does Snort protect itself against attacks. If
> > an attacker is trying
> > > to take down the IDS itself, is Snort capable of
> > detecting and thwarting
> > > it ?
> > >
> >
> > Briefly.. although perhaps not optimized for
> > self-defense, there are
> > mechanisms like 'memcap' (and consequent aggressive
> > pruning, and random
> > nuking of states), and 'timeout' for preprocessors
> > like frag2, stream4.
> > There's '-z est' defense against stick/snot attacks.
> > For evasion
> > attacks, there are dedicated preprocessors and
> > preprocessor options, and
> > some internal source code tweaks like the 1.9.x's
> > pseudo-random
> > FLUSH_POINTs in stream4. These are just pointers and
> > not a complete
> > list.. It would be good to have a separate
> > discussion in the manual
> > about these..
> >
> > --
> > Vinay A. Mahadik
> > Summer Intern
> > System & Network Security Group
> > Lawrence Berkeley National Lab
> > (510) 495 2618
> >
> >
> >
> >
> >
> -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of
> > that same old
> > cell phone?  Get a new here for FREE!
> >
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> =====
> -----------------------------------------------------------
> Heavy metal made me do it.
> -----------------------------------------------------------
>
> __________________________________________________
> Yahoo! - We Remember
> 9-11: A tribute to the more than 3,000 lives lost
> http://dir.remember.yahoo.com/tribute




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users