Can Snort Dectec R2L attack?

[KFC <chong238803 () yahoo com>]

Dear All...

        Form my knowledgment , Snort is "Grep Network IDS". It only can detect attack by sniff & match, Right? Well, I 
read the paper " IDS Evaluation program 1998 by MIT lincoln Lab, DARPA" ,they classify attack into 4  types : Denial of 
service (DoS) ,probe ,user to root (u2r) , and remote to local (r2l). 

      Remote to Local attack - Attack by unauthroize user form outside system to hijack Privileged - is very hurmful 
attack . Normally on UNIX, r2l attacking will appear in network priviledged process/program service i.e. ftpd, telnetd, 
fingerd etc. Attacker will use some vulnerability of that program such a : Buffer overflow , Validation Input (PHF 
attack in CGI) , Trojan , backdoor, In snort I see some rule that can detect BOF , PHF attack by matching with data in 
auditing packets. 

   IMHO , R2L and U2R can detect by monitor by HIDS like:Saint Jude Linux Kernel Module. This way , You can detect when 
you was attacked. I think Network IDS is first line defence to detect before attacking to Process.....

    Ok,,, I have some question about snort, network detection and R2L attack:

 

  Q1: Have other rules can detect R2L attack in snort? 

  Q2 : Which and How Network Information or NIDS to implement to detect R2L? Have any paper/tool/information talk about 
this?

 Sorry , I am not good in english and feel free to comment my message.

 

Regrads

Chowalit Tinny

   



---------------------------------
Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.