Snort mailing list archives
Re: How does Snort protect itself ?
From: twig les <twigles () yahoo com>
Date: Mon, 9 Sep 2002 20:42:47 -0700 (PDT)
I wouldn't use snort to protect the sensor. On top of what V. wrote, Snort protects *itself* by running as a normal user with no shell, and by not using shoddy programming (no buffer overflows on bugtraq :). Using Snort to protect your sensor is like using the back of a screwdriver as a hammer. It would be a better idea to do the traditional grunt work of hardening the OS by pruning useless services, patching it, and firewalling it. --- "Vinay A. Mahadik" <VAMahadik () lbl gov> wrote:
KD Rajkumar wrote:Hi, How does Snort protect itself against attacks. Ifan attacker is tryingto take down the IDS itself, is Snort capable ofdetecting and thwartingit ?Briefly.. although perhaps not optimized for self-defense, there are mechanisms like 'memcap' (and consequent aggressive pruning, and random nuking of states), and 'timeout' for preprocessors like frag2, stream4. There's '-z est' defense against stick/snot attacks. For evasion attacks, there are dedicated preprocessors and preprocessor options, and some internal source code tweaks like the 1.9.x's pseudo-random FLUSH_POINTs in stream4. These are just pointers and not a complete list.. It would be good to have a separate discussion in the manual about these.. -- Vinay A. Mahadik Summer Intern System & Network Security Group Lawrence Berkeley National Lab (510) 495 2618
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost http://dir.remember.yahoo.com/tribute ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How does Snort protect itself ? KD Rajkumar (Sep 08)
- Re: How does Snort protect itself ? Vinay A. Mahadik (Sep 08)
- Re: How does Snort protect itself ? twig les (Sep 09)
- <Possible follow-ups>
- RE: How does Snort protect itself ? Semerjian, Ohanes (Sep 10)
- Re: How does Snort protect itself ? Vinay A. Mahadik (Sep 10)
- Re: How does Snort protect itself ? KD Rajkumar (Sep 15)
- Re: How does Snort protect itself ? WTWork (Sep 15)
- Re: How does Snort protect itself ? Gary Flynn (Sep 16)
- Re: How does Snort protect itself ? Ian Macdonald (Sep 17)
- Re: Stealth NIC (Was: How does Snort protect itself ?) Erek Adams (Sep 18)
- Re: How does Snort protect itself ? WTWork (Sep 15)
- Re: How does Snort protect itself ? Vinay A. Mahadik (Sep 08)
- Re: How does Snort protect itself ? KD Rajkumar (Sep 15)
- Re: How does Snort protect itself ? twig les (Sep 10)