Snort mailing list archives
Re: How does Snort protect itself ?
From: "Ian Macdonald" <secsnort () dirk demon co uk>
Date: Tue, 17 Sep 2002 10:05:07 -0400
Actually, it may still be possible to abuse snort/IDS systems if the NIC doesn't have an IP address. You limit the risk but it is still possible. If it is found that a certain set of packets crash snort, then there is potential for being able to get the snort sensor to do things at your command. Putting in Taps help, but since you still read live data from the wire and do something with it then there is always the possibility for abuse. I have heard of IDS systems that crash because they run out of memory or because they try and decode something bad and break. Just something to think about. Ian ----- Original Message ----- From: "WTWork" <securitygauntlet () snet net> To: "KD Rajkumar" <koderma () hotmail com>; <VAMahadik () lbl gov> Cc: <snort-users () lists sourceforge net> Sent: Sunday, September 15, 2002 11:09 PM Subject: Re: [Snort-users] How does Snort protect itself ?
Not really sure this is what needs to be done. If you run Snort on a stealth NIC then it can't be found or tampered with there. If you firewall and only allow say SSH in for management and ACID (What ever you fav interface is) In fro viewing alerts problem should be solved. OH ya!!
Also
one should ALWAYS harden the server the sensor is on. IDS (Hosts-based) systems should NOT be placed on servers requiring or running other apps. This is why the advent of the Snort appliance based is a great idea. Then you get a "Sensor in a box" not a OS/server/maintenance/admin/all the
other
stuff that comes with standard default install of servers. This is MOHO and just take the info for what it is worth to you Wayne At 01:50 AM 9/10/2002 +0000, KD Rajkumar wrote:I think it's a splendid idea to have a seperate discussion on the manual page on this. It would be very helpful to get insight from the curators of the program, Marty Roesch et al, on data structures used and other design considerations for protecting Snort itself from being attacked.From: "Vinay A. Mahadik" <VAMahadik () lbl gov> To: KD Rajkumar <koderma () hotmail com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] How does Snort protect itself ? Date: Sun, 08 Sep 2002 14:44:42 -0400 KD Rajkumar wrote:Hi, How does Snort protect itself against attacks. If an attacker is trying to take down the IDS itself, is Snort capable of detecting and
thwarting it ?
Briefly.. although perhaps not optimized for self-defense, there are mechanisms like 'memcap' (and consequent aggressive pruning, and random nuking of states), and 'timeout' for preprocessors like frag2, stream4. There's '-z est' defense against stick/snot attacks. For evasion
attacks,
there are dedicated preprocessors and preprocessor options, and some internal source code tweaks like the 1.9.x's pseudo-random FLUSH_POINTs in stream4. These are just pointers and not a complete list.. It would
be
good to have a separate discussion in the manual about these.. -- Vinay A. Mahadik Summer Intern System & Network Security Group Lawrence Berkeley National Lab (510) 495 2618_________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- Sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How does Snort protect itself ? KD Rajkumar (Sep 08)
- Re: How does Snort protect itself ? Vinay A. Mahadik (Sep 08)
- Re: How does Snort protect itself ? twig les (Sep 09)
- <Possible follow-ups>
- RE: How does Snort protect itself ? Semerjian, Ohanes (Sep 10)
- Re: How does Snort protect itself ? Vinay A. Mahadik (Sep 10)
- Re: How does Snort protect itself ? KD Rajkumar (Sep 15)
- Re: How does Snort protect itself ? WTWork (Sep 15)
- Re: How does Snort protect itself ? Gary Flynn (Sep 16)
- Re: How does Snort protect itself ? Ian Macdonald (Sep 17)
- Re: Stealth NIC (Was: How does Snort protect itself ?) Erek Adams (Sep 18)
- Re: How does Snort protect itself ? WTWork (Sep 15)
- Re: How does Snort protect itself ? Vinay A. Mahadik (Sep 08)
- Re: How does Snort protect itself ? KD Rajkumar (Sep 15)
- Re: How does Snort protect itself ? twig les (Sep 10)