Snort mailing list archives

RE: Snort-Machine = Security Hole?

From: "Burleson, Lee (IA)" <Lee.Burleson () ia ngb army mil>
Date: Thu, 12 Jul 2001 13:58:38 -0500

If you have a decent switch, you can set spanning AND 'receive only' on the
port that the IDS is on.  Now you're talking about the _very_ remote
possibility of cracking the switch in order to change that setting.

Much less hassle than messing around with wire snips... :)
This discussion has gone on so many times, I don't know why I didn't think
of that earlier. (?)

Of course, that only ties up the external interface.  You could use IP
filters on the internal interface to make sure it's only talking with the
machines you designate.  That would be in addition to the other useful
suggestions made.

If They still get in after all that, you might as well pull the plug on your
whole operation.  LOL

- Lee

-----Original Message-----
From: Daniel Voyer [mailto:daniel.voyer () cgi ca]
Sent: Thursday, July 12, 2001 7:41 AM
To: Thorsten Ziegler
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort-Machine = Security Hole?

Hey ...

I don't catch this one ...

Imagine this scenario:

I put a hub or a switch (with span port) between my firewall 
and my Internet
router. On this hub I place a snort machine with two nic.
The first nic is directly connected to the switch with 
*0.0.0.0* ip address.

The second nic is directly connected on a management lan 
somewhere in my
internal network.

I use first nic (0.0.0.0) to do what an IDS should do, I 
sniff the network
with some filter....
And I use the second nic to manage my snort box and to 
receive any alert/log
....

So now, what should be your concern about the security.
How could somebody attack my snort box on the ip address 0.0.0.0 ?

And if it's possible to attack my box (with ip 0.0.0.0), just 
in case we
should be paranoid .... I can put an access list in my border 
router to deny
any established connections on my snort box.
And I will still receive any traffic passing throug the 
switch because I
place my snort box on a span port (that's means I receive any 
thing than my
switch put in it's buffer).

So, again, how could you attack my snort box ??

- Dan
I really interested to see any mail on this one.

Thorsten Ziegler wrote:

Hi out there...

during the last days, i've intensively explored snort and

it's features

- and then recognized  problem i was not able to find any existing
  solutions...

Given the location of a snort-box between the boarder router and the
outer firewall - i'm aware of the security risk such a machine is
creating according to the local security policy - so i

decided to use

the sentry-cd package and to create a diskless

sniffer-station - so it's

hard to compromise the machine.
Next step was removing the IP of the machine (it was an

private IP out

of the transfer net between the router and the outer firewall).
So now i'm having the problem how to bring the

logging-information back

in to my logging server - a second nic with a connection to the
logging-server would make the cole use of the firewall obsolete - a
direct link around the firewall, damnit. I'm not trusting

the fact that

the machine isn't able to reach from the outside without an

IP... but

what possibilities do i have?
At first, i was thinking of syxslog-udp packets one way thorugh the
firewall, a security risk less far then opening an interactive
tcp-session through the firewall.
But now i'm having the problem, that syslog.messages are

kinda useless

if i'm trying to figure out if there's an false or true

security breach:

i'm needing the hole packet dump - but logging to an mysql would
require the establishment of an interactive TCP session

from outside our

firewall - i'm not glad about this idea.

How did you solve this problem?
I've also created an one-way utp-cable, but that doesn't

look very nice

in the corporate switchboard...

Any suggestions are welcome..

Greetings, ZiG
--
Security by obscurity

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort-Machine = Security Hole? Thorsten Ziegler (Jul 11)
- Re: Snort-Machine = Security Hole? Ramin Alidousti (Jul 11)
  - Re: Snort-Machine = Security Hole? barre (Jul 11)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
  - Re: Snort-Machine = Security Hole? Dan Hollis (Jul 12)
- <Possible follow-ups>
- RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Snort-Machine = Security Hole? Davis, Scott (Jul 12)
- RE: Snort-Machine = Security Hole? Burleson, Lee (IA) (Jul 12)
  - Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- RE: Snort-Machine = Security Hole? ks (Jul 12)
- RE: Snort-Machine = Security Hole? Andreas Steinmetz (Jul 13)
- RE: Snort-Machine = Security Hole? Robert D. Hughes (Jul 13)
  - RE: Snort-Machine = Security Hole? Dan Hollis (Jul 13)
- RE: Snort-Machine = Security Hole? Hawrylkiw, Dan G (Jul 17)