Snort mailing list archives
Re: BO preproc exploit published
From: Richard Harman <snort () richardharman com>
Date: Thu, 27 Oct 2005 00:08:39 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'll tell brad spangler where to send the check ;) But seriously, byte_jump is absolutely correct here -- PaX and GRSecurity (hell, hardened Gentoo too) are awesome security solutions for linux systems. PaX/GRSec are kernel patches that stop many common exploits dead in the water. Harened Gentoo is all of the above plus more. They are not hackerproof (dare I say nothing is, most vuln developers are smarter than the average coder), but they should stop a good number of the script-kiddies out there. Hardened Gentoo can be a little difficult to get up and running (ofcourse, I was running it almost 2 years ago and had to do things the HARD way before they fixed Xorg, tool chain problems, etc) but once you get the hang of it, it's beautiful. If I was (re)building all my snort sensors I'd go the pax/grsec route. What's the point of an IDS if it gets hacked? Oh, and solar (of Hardened Gentoo) says that the harened Gentoo Herd explicitly brands gcc to provide the SSP/PIE info in gcc -v; the rest don't show that info even if they have it. A better way to check if your GCC has -fstack-protector is to look in the man page. You can't just try running 'gcc -fstack-protector' either, because it will simply accept it as a valid switch even if it isn't. byte_jump wrote:
ProPolice: http://www.research.ibm.com/trl/projects/security/ssp/ You need to have a GCC that has stack-smash-protector (SSP) functionality. You can see if your GCC does by issuing the following command: gcc -v If your gcc has SSP built in, it will output something like this: gcc version 3.3.4 20040623 (Gentoo Hardened Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6) The "ssp" and "pie" (Position-Independent Executable) are what you want to see. During compilation you want to see something like "fstack-protector" in the compilation output. You can Google for more info, but those are the basics. Grsecurity and PaX can be found here: http://grsecurity.net/ http://pax.grsecurity.net/ Those are patches for the Linux kernel and I highly recommend that you read the info available on grsecurity's site. The "features" page has quite a list describing what grsecurity does: http://grsecurity.net/features.php On 10/26/05, Ron Jenkins <rjenkins () dibr net> wrote:Hello Do you have web links for those two? I am interested in looking at them. Thanks much...------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDYFLH3rKdb192Vz8RAgogAKCQDyXpef+pgOS01adOHMh2EGlUOACfT7Kj 6mM/mhTssnvtDeEHqAAmwGQ= =84+c -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BO preproc exploit published Paul Melson (Oct 25)
- Re: BO preproc exploit published Matthew Watchinski (Oct 26)
- RE: BO preproc exploit published Paul Melson (Oct 26)
- Re: BO preproc exploit published byte_jump (Oct 26)
- Re: BO preproc exploit published Murali Raju (Oct 27)
- RE: BO preproc exploit published Paul Melson (Oct 26)
- Re: BO preproc exploit published Matthew Watchinski (Oct 26)
- <Possible follow-ups>
- Re: BO preproc exploit published byte_jump (Oct 26)
- Re: BO preproc exploit published Richard Harman (Oct 26)
- RE: BO preproc exploit published Ron Jenkins (Oct 26)
- BO preproc exploit published Paul . Melson (Nov 01)