Snort mailing list archives

Re: Antwort: RE: Snort-Machine = Security Hole?

From: Ramin Alidousti <ramin () cannon eng us uu net>
Date: Thu, 12 Jul 2001 13:50:45 -0400

Please help me understand this: if you don't have connectivity
to the Internet (by means of the lack of default gateway, or
blocking the Internet connectivity on the firewall, ...) how
can a buffer overflow exploit, gives an attacker an active
remote root session? In such a case, a buffer overflow exploit
should install and run a locally executed program on the
snort box with no interaction with the outside world, right?
At any rate, could LIDS be of any help (at least for linux boxes)?

Ramin

On Thu, Jul 12, 2001 at 11:10:38AM -0500, Crow, Owen wrote:

Lack of a default gateway is another obstacle, but not insurmountable if you
have root on the vulnerable box.  Most modern worms attempt multiple methods
of getting back to their masters, from direct connection to finding another,
better connected system to compromise.

All of the above rests on the possibility that an attacker can squeeze
enough instructions into a buffer overflow exploit to actively continue the
compromise despite being cut off from the Internet.  I haven't seen it yet,
but I'm sure we will in the next 5 years.

I agree cutting send wires protects from all known attacks.  I'm attempting
to protect against PFTF attacks (paranoid-fantasy, theoretical-future :).

Owen

-----Original Message-----
From: ks () schuricht de [mailto:ks () schuricht de]
Sent: Thursday, July 12, 2001 10:26 AM
To: snort-users () lists sourceforge net
Subject: Antwort: RE: [Snort-users] Snort-Machine = Security Hole?



Hi,

but how a machine without default gateway open a connection
to outer 'space'. And, if you also deny any outgoing paket from
the 'snort-machine' to internet ?

Seems impossible.

But what happens, if they hack your frontfirewall ? ;)

Best solution seems to cut the sendwires from the snort-machine
from the cable connected to the dmz ;)

Bye,
  Kai.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Antwort: RE: Snort-Machine = Security Hole? ks (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- <Possible follow-ups>
- RE: Antwort: RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
  - Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
  - Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Steve Hutchins (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Frank Knobbe (Jul 12)
  - Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)