Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How does Snort protect itself ?

From: twig les <twigles () yahoo com>
Date: Tue, 10 Sep 2002 10:34:25 -0700 (PDT)
Not really.  My point was that Snort protects Snort
well, but not the sensor.


--- KD Rajkumar <koderma () hotmail com> wrote:

I think you misunderstood my question. I wasn't
asking if one could use 
Snort to protect Snort.



From: twig les <twigles () yahoo com>
To: "Vinay A. Mahadik" <VAMahadik () lbl gov>, KD

Rajkumar 

<koderma () hotmail com>
CC: snort-users () lists sourceforge net
Subject: Re: [Snort-users] How does Snort protect

itself ?

Date: Mon, 9 Sep 2002 20:42:47 -0700 (PDT)

I wouldn't use snort to protect the sensor.  On top

of

what V. wrote, Snort protects *itself* by running

as a

normal user with no shell, and by not using shoddy
programming (no buffer overflows on bugtraq :).

Using Snort to protect your sensor is like using

the

back of a screwdriver as a hammer.  It would be a
better idea to do the traditional grunt work of
hardening the OS by pruning useless services,

patching

it, and firewalling it.


--- "Vinay A. Mahadik" <VAMahadik () lbl gov> wrote:

KD Rajkumar wrote:


Hi,

How does Snort protect itself against attacks.

If

an attacker is trying

to take down the IDS itself, is Snort capable

of

detecting and thwarting

it ?



Briefly.. although perhaps not optimized for
self-defense, there are
mechanisms like 'memcap' (and consequent

aggressive

pruning, and random
nuking of states), and 'timeout' for

preprocessors

like frag2, stream4.
There's '-z est' defense against stick/snot

attacks.

For evasion
attacks, there are dedicated preprocessors and
preprocessor options, and
some internal source code tweaks like the

1.9.x's

pseudo-random
FLUSH_POINTs in stream4. These are just pointers

and

not a complete
list.. It would be good to have a separate
discussion in the manual
about these..

--
Vinay A. Mahadik
Summer Intern
System & Network Security Group
Lawrence Berkeley National Lab
(510) 495 2618







-------------------------------------------------------

This sf.net email is sponsored by: OSDN - Tired

of

that same old
cell phone?  Get a new here for FREE!



https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:



https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:



http://www.geocrawler.com/redir-sf.php3?list=snort-users



=====


-----------------------------------------------------------

Heavy metal made me do it.


-----------------------------------------------------------


__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute







_________________________________________________________________

Send and receive Hotmail on your mobile device:
http://mobile.msn.com




=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: