Snort mailing list archives
Re: RELRO security in Snort-2.9.x
From: Joshua Kinard <kumba () gentoo org>
Date: Wed, 13 Apr 2016 19:30:53 -0400
RELRO and related commands are common on "hardened" toolchains. Gentoo's got a pretty extensive overview of how our hardened toolchain works, as well as a hardened FAQ: https://wiki.gentoo.org/wiki/Hardened/Toolchain https://wiki.gentoo.org/wiki/Hardened/FAQ Some of it is distro-specific to us, but some of the information there is applicable to other distros. One of my boxes runs a full hardened profile + toolchain, and I recently tested Snort-2.9.8.2 on it and didn't notice any issues scanning some large PCAP files against portions of the ET ruleset. checksec.sh had this to say about that binary: ./checksec.sh --file /usr/bin/snort RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/bin/snort So it looks like RELRO and other hardened bits JustWork() on Snort. --J On 04/02/2016 06:52, Shawn wrote:
Hi Victor, On Wed, Mar 16, 2016 at 4:32 AM, Victor Roemer <viroemer () cisco com> wrote:Bill, I dont know of these options; care to point us at some literature?Take a look: http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html Beside RELRO, Snort running as an important component of networking system should take care of other major GCC mitigation like NX/PIE/ASLR/CANARY: http://hardenedlinux.org/system-security/2015/06/09/debian-security-chklist.html https://raw.githubusercontent.com/citypw/security-regression-testing-for-suse/master/other/vulns_hardening_assessment.logDoes this stuff prevent someone from calling mprotect and just making the memory writable?No, RELRO is nothing to do with MPROTECT, which u might think it is a feature from PaX/Grsecurity.On 3/15/16 16:22, Bill Parker wrote: Hi All, Does anyone have a take on this: -Wl,-z,relro,-z,now RELRO (read-only relocation). The options relro & now specified together are known as "Full RELRO". You can specify "Partial RELRO" by omitting the now flag. RELRO marks various ELF memory sections readÂonly (E.g. the GOT) This is an option to gcc, when I run a checksec.sh script against the snort binary, it comes back with Partial RELRO, rather than FULL. Bill
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: RELRO security in Snort-2.9.x Shawn (Apr 12)
- Re: RELRO security in Snort-2.9.x Joshua Kinard (Apr 13)