Snort mailing list archives
Antwort: RE: Snort-Machine = Security Hole?
From: ks () schuricht de
Date: Thu, 12 Jul 2001 17:25:38 +0200
Hi, but how a machine without default gateway open a connection to outer 'space'. And, if you also deny any outgoing paket from the 'snort-machine' to internet ? Seems impossible. But what happens, if they hack your frontfirewall ? ;) Best solution seems to cut the sendwires from the snort-machine from the cable connected to the dmz ;) Bye, Kai. -- Abt. eBusiness / Entwicklung D. Schuricht GmbH & Co. KG http://www.schuricht.de "Crow, Owen" <Owen_Crow () bmc com> An: "'Daniel Voyer'" <daniel.voyer () cgi ca>, Gesendet von: Thorsten Ziegler <zig () hell ghb fh-furtwangen de> snort-users-admin@lists.sourc Kopie: snort-users () lists sourceforge net eforge.net Thema: RE: [Snort-users] Snort-Machine = Security Hole? 12.07.01 16:14 <theory> Attacker sends packets designed to exploit a future buffer overflow in Snort that opens a connection back to attacker's computer.</theory> In this case the first two way communication is initiated by your Snort box via it's admin port back out to the Internet. Once there's a buffer overflow and a way back to the Internet, the Snort box is fair game. [From this point on, I'm going to substitute "vulnerable system" instead of "Snort system" since this isn't a Snort-specific problem.] You mention the main fix for this, though: don't allow your vulnerable system to connect back to the Internet. That doesn't protect the other systems on your management LAN that can be attacked by your now-hostile vulnerable system. If you don't keep the vulnerable system quarantined, then you've got to expect anything it catches to spread. Basically, I would treat the Snort box the way you would treat any other box in your DMZ, important but expendable and possibly compromised. I haven't analyzed the probability of that future exploit. Snort itself seems pretty immune in that it does minimal analysis of packet contents, but some of the preprocessors could open up vulnerabilities if they make assumptions about packet contents. For comparison, see these links for tcpdump exploits/DoS attacts: "tcpdump AFS ACL Packet Buffer Overflow Vulnerability" at http://www.securityfocus.com/bid/1870 "Tcpdump Protocol Four and Zero Header Length Vulnerability" at http://www.securityfocus.com/bid/313 "Multiple Sniffer Vendor DNS Decode Vulnerability" at http://www.securityfocus.com/bid/1165 The first one is an actual root compromise, the last two are just DoS for tcpdump. Of course you could just not worry about it until the first Snort exploit is posted at 5:01PM on a Friday afternoon :). Regards, Owen Crow Systems Programmer (Unix) BMC Software, Inc. -----Original Message----- From: Daniel Voyer [mailto:daniel.voyer () cgi ca] Sent: Thursday, July 12, 2001 7:41 AM To: Thorsten Ziegler Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort-Machine = Security Hole? Hey ... I don't catch this one ... Imagine this scenario: I put a hub or a switch (with span port) between my firewall and my Internet router. On this hub I place a snort machine with two nic. The first nic is directly connected to the switch with *0.0.0.0* ip address. The second nic is directly connected on a management lan somewhere in my internal network. I use first nic (0.0.0.0) to do what an IDS should do, I sniff the network with some filter.... And I use the second nic to manage my snort box and to receive any alert/log .... So now, what should be your concern about the security. How could somebody attack my snort box on the ip address 0.0.0.0 ? And if it's possible to attack my box (with ip 0.0.0.0), just in case we should be paranoid .... I can put an access list in my border router to deny any established connections on my snort box. And I will still receive any traffic passing throug the switch because I place my snort box on a span port (that's means I receive any thing than my switch put in it's buffer). So, again, how could you attack my snort box ?? - Dan I really interested to see any mail on this one. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Antwort: RE: Snort-Machine = Security Hole? ks (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- <Possible follow-ups>
- RE: Antwort: RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Steve Hutchins (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Frank Knobbe (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)