Re: Stealth NIC (Was: How does Snort protect itself ?)

[Erek Adams <erek () theadamsfamily net>]

On Tue, 17 Sep 2002, Ian Macdonald wrote:

> Actually, it may still be possible to abuse snort/IDS systems if the  NIC
> doesn't have an IP address. You limit the risk but it is still possible. If
> it is found that a certain set of packets crash snort, then there is
> potential for being able to get the snort sensor to do things at your
> command. Putting in Taps help, but since you still read live data from the
> wire and do something with it then there is always the possibility for
> abuse.
>
> I have heard of IDS systems that crash because they run out of memory or
> because they try and decode something bad and break. Just something to think
> about.

If you recall, not that long ago, there was a bug in Ethereal (and tcpdump,
IIRC) that could cause a remote buffer overflow just by decoding a packet.

One thing that you can do that will help 'more' is a R/O cable on a ipless
interface.  That way, traffic _can't_ enter the network since the transmit
pairs don't send any data.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This SF.NET email is sponsored by: AMD - Your access to the experts
on Hammer Technology! Open Source & Linux Developers, register now
for the AMD Developer Symposium. Code: EX8664
http://www.developwithamd.com/developerlab
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users