Snort mailing list archives

RE: Attack on snort running in Public Zone

From: "Lucretia Enterprises Administrator" <info () lucretia ca>
Date: Tue, 18 Nov 2003 17:00:05 -0700

To bring this back on conversation, the original question was to avoid a
DDoS attack...

Thanks.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Matt
Kettler
Sent: Tuesday, November 18, 2003 4:44 PM
To: bmcdowell () coxhealthplans com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Attack on snort running in Public Zone


At 04:35 PM 11/18/2003, bmcdowell () coxhealthplans com wrote:

It seems to me that, second interface or not, such an exploit as the
example Matt gave could also be used to somehow provide an IP to the
'stealth' box.

Now a tap, well, they would need to do some wiring to beat that one
(unless there's another interface).  Right?


In a box with only one NIC, connected to a hardware tap with no send
capabilities, even the best case for an exploiter would leave
them limited
to making changes to the snort box itself.. ie: they could load code to
delete files, call for shutdown, etc.

So it's still not hackproof, but you've greatly limited what they can do.

Realistically they'd also be limited in the size of the code they could
execute by the nature of the buffer overflow in snort they were
exploiting.. I've never studied the old 1.9.x stream4 exploit to get an
idea of roughly how much code could be executed with it.

However, they'd never be able to get any kind of remote shell, or get any
data out of the snort box to do much useful.

Of course, your only way of getting a prompt or data out of the box would
be at the physical console itself. You'd not be able to get a
remote login
shell, etc, either.



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Attack on snort running in Public Zone, (continued)
- Re: Attack on snort running in Public Zone crtech (Nov 18)
  - RE: Attack on snort running in Public Zone Lucretia Enterprises Administrator (Nov 18)
    - RE: Attack on snort running in Public Zone Michael Steele (Nov 18)
  - AG M.D. DeWar (Nov 18)
    - Re: AG GDHough (Nov 18)
  - Re: Attack on snort running in Public Zone Matt Kettler (Nov 18)
- RE: Attack on snort running in Public Zone Geoff Craig (Nov 14)
- RE: Attack on snort running in Public Zone Aaron (Nov 17)
- RE: Attack on snort running in Public Zone bmcdowell (Nov 18)
  - Message not available
    - RE: Attack on snort running in Public Zone Matt Kettler (Nov 18)
    - RE: Attack on snort running in Public Zone Lucretia Enterprises Administrator (Nov 18)
    - RE: Attack on snort running in Public Zone Matt Kettler (Nov 19)
    - RE: Attack on snort running in Public Zone Jason Haar (Nov 18)
    - Re: Attack on snort running in Public Zone Craig Paterson (Nov 18)
    - Attack on snort running in Public Zone crtech (Nov 20)