Snort mailing list archives
RE: Snort-Machine = Security Hole?
From: "Burleson, Lee (IA)" <Lee.Burleson () ia ngb army mil>
Date: Thu, 12 Jul 2001 13:58:38 -0500
If you have a decent switch, you can set spanning AND 'receive only' on the port that the IDS is on. Now you're talking about the _very_ remote possibility of cracking the switch in order to change that setting. Much less hassle than messing around with wire snips... :) This discussion has gone on so many times, I don't know why I didn't think of that earlier. (?) Of course, that only ties up the external interface. You could use IP filters on the internal interface to make sure it's only talking with the machines you designate. That would be in addition to the other useful suggestions made. If They still get in after all that, you might as well pull the plug on your whole operation. LOL - Lee
-----Original Message----- From: Daniel Voyer [mailto:daniel.voyer () cgi ca] Sent: Thursday, July 12, 2001 7:41 AM To: Thorsten Ziegler Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort-Machine = Security Hole? Hey ... I don't catch this one ... Imagine this scenario: I put a hub or a switch (with span port) between my firewall and my Internet router. On this hub I place a snort machine with two nic. The first nic is directly connected to the switch with *0.0.0.0* ip address. The second nic is directly connected on a management lan somewhere in my internal network. I use first nic (0.0.0.0) to do what an IDS should do, I sniff the network with some filter.... And I use the second nic to manage my snort box and to receive any alert/log .... So now, what should be your concern about the security. How could somebody attack my snort box on the ip address 0.0.0.0 ? And if it's possible to attack my box (with ip 0.0.0.0), just in case we should be paranoid .... I can put an access list in my border router to deny any established connections on my snort box. And I will still receive any traffic passing throug the switch because I place my snort box on a span port (that's means I receive any thing than my switch put in it's buffer). So, again, how could you attack my snort box ?? - Dan I really interested to see any mail on this one. Thorsten Ziegler wrote:Hi out there... during the last days, i've intensively explored snort andit's features- and then recognized problem i was not able to find any existing solutions... Given the location of a snort-box between the boarder router and the outer firewall - i'm aware of the security risk such a machine is creating according to the local security policy - so idecided to usethe sentry-cd package and to create a disklesssniffer-station - so it'shard to compromise the machine. Next step was removing the IP of the machine (it was anprivate IP outof the transfer net between the router and the outer firewall). So now i'm having the problem how to bring thelogging-information backin to my logging server - a second nic with a connection to the logging-server would make the cole use of the firewall obsolete - a direct link around the firewall, damnit. I'm not trustingthe fact thatthe machine isn't able to reach from the outside without anIP... butwhat possibilities do i have? At first, i was thinking of syxslog-udp packets one way thorugh the firewall, a security risk less far then opening an interactive tcp-session through the firewall. But now i'm having the problem, that syslog.messages arekinda uselessif i'm trying to figure out if there's an false or truesecurity breach:i'm needing the hole packet dump - but logging to an mysql would require the establishment of an interactive TCP sessionfrom outside ourfirewall - i'm not glad about this idea. How did you solve this problem? I've also created an one-way utp-cable, but that doesn'tlook very nicein the corporate switchboard... Any suggestions are welcome.. Greetings, ZiG -- Security by obscurity _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-Machine = Security Hole? Thorsten Ziegler (Jul 11)
- Re: Snort-Machine = Security Hole? Ramin Alidousti (Jul 11)
- Re: Snort-Machine = Security Hole? barre (Jul 11)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- Re: Snort-Machine = Security Hole? Dan Hollis (Jul 12)
- <Possible follow-ups>
- RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Snort-Machine = Security Hole? Davis, Scott (Jul 12)
- RE: Snort-Machine = Security Hole? Burleson, Lee (IA) (Jul 12)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- RE: Snort-Machine = Security Hole? ks (Jul 12)
- RE: Snort-Machine = Security Hole? Andreas Steinmetz (Jul 13)
- RE: Snort-Machine = Security Hole? Robert D. Hughes (Jul 13)
- RE: Snort-Machine = Security Hole? Dan Hollis (Jul 13)
- RE: Snort-Machine = Security Hole? Hawrylkiw, Dan G (Jul 17)
- Re: Snort-Machine = Security Hole? Ramin Alidousti (Jul 11)