Snort mailing list archives
Re: Detecting Broadcast with Snort
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 22 Feb 2003 12:45:47 -0600
On Sat, 2003-02-22 at 12:03, Matt Kettler wrote:
My general advice about such tools is they are fine, as long as you can be 100% sure that you've not just created a hole where someone can hack your snort box you forgot to properly secure and use that to open up your firewall. A snortsam or inline snort box should not be doing things like running a mailserver, nameserver and webserver which are externally accessible, and I'm willing to bet more than one sysadmin fails to see how foolish this is.
Matt, in regards to SnortSam, you are absolutely correct that SnortSam itself should be running on a secure box. But the Snort sensors themselves don't have to be. You can run Snort on your web and/or mail servers. Yes, someone could crack the web server, use the SnortSam password together with their own tool and send fake blocking requests to the SnortSam daemon on the remote box, but he can a) only add blocks, not reconfigure or open firewalls, and b) is still subject to the countermeasures SnortSam employs (white-list, thresholds, etc). As long as you keep the SnortSam daemon on a secure box, you're in good shape. I think this can lead to the debate/discussion of separation of services. For example, I don't like to run my name services on the same box I run web services because I feel that if the (weaker) web server gets compromised, I hand the attacker control over my domains. It is much harder to break into a djbdns name server than into an Apache box. But that discussion is probably not for snort-users :) Anyhow, thanks for bringing this issue up. We should always keep this in mind when designing/deploying systems Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Detecting Broadcast with Snort Ramon Barquier (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort Gene Yoo (Feb 22)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 22)
- Re: Detecting Broadcast with Snort Frank Knobbe (Feb 22)
- Re: Detecting Broadcast with Snort Gene Yoo (Feb 24)
- <Possible follow-ups>
- Re: Detecting Broadcast with Snort james (Feb 24)