Re: BO preproc exploit published

[Richard Harman <snort () richardharman com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'll tell brad spangler where to send the check ;)

But seriously, byte_jump is absolutely correct here -- PaX and
GRSecurity (hell, hardened Gentoo too) are awesome security solutions
for linux systems.  PaX/GRSec are kernel patches that stop many common
exploits dead in the water.  Harened Gentoo is all of the above plus
more.  They are not hackerproof (dare I say nothing is, most vuln
developers are smarter than the average coder), but they should stop a
good number of the script-kiddies out there.

Hardened Gentoo can be a little difficult to get up and running
(ofcourse, I was running it almost 2 years ago and had to do things the
HARD way before they fixed Xorg, tool chain problems, etc) but once you
get the hang of it, it's beautiful.

If I was (re)building all my snort sensors I'd go the pax/grsec route.
What's the point of an IDS if it gets hacked?

Oh, and solar (of Hardened Gentoo) says that the harened Gentoo Herd
explicitly brands gcc to provide the SSP/PIE info in gcc -v; the rest
don't show that info even if they have it.  A better way to check if
your GCC has -fstack-protector is to look in the man page.  You can't
just try running 'gcc -fstack-protector' either, because it will simply
accept it as a valid switch even if it isn't.

byte_jump wrote:
> ProPolice:
> http://www.research.ibm.com/trl/projects/security/ssp/
> You need to have a GCC that has stack-smash-protector (SSP)
> functionality. You can see if your GCC does by issuing the following
> command:
> gcc -v
>
> If your gcc has SSP built in, it will output something like this:
> gcc version 3.3.4 20040623 (Gentoo Hardened Linux 3.3.4-r1,
> ssp-3.3.2-2, pie-8.7.6)
>
> The "ssp" and "pie" (Position-Independent Executable) are what you
> want to see. During compilation you want to see something like
> "fstack-protector" in the compilation output. You can Google for more
> info, but those are the basics.
>
> Grsecurity and PaX can be found here:
> http://grsecurity.net/
> http://pax.grsecurity.net/
>
> Those are patches for the Linux kernel and I highly recommend that you
> read the info available on grsecurity's site. The "features" page has
> quite a list describing what grsecurity does:
> http://grsecurity.net/features.php
>
>
>
> On 10/26/05, Ron Jenkins <rjenkins () dibr net> wrote:
>
> > Hello
> >
> > Do you have web links for those two? I am interested in looking at them.
> >
> > Thanks much...
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDYFLH3rKdb192Vz8RAgogAKCQDyXpef+pgOS01adOHMh2EGlUOACfT7Kj
6mM/mhTssnvtDeEHqAAmwGQ=
=84+c
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users