Snort mailing list archives
Re: Attack on snort running in Public Zone
From: Craig Paterson <craigp () tippett com>
Date: Tue, 18 Nov 2003 16:53:25 -0800
Matt Kettler wrote:
At 04:35 PM 11/18/2003, bmcdowell () coxhealthplans com wrote:It seems to me that, second interface or not, such an exploit as the example Matt gave could also be used to somehow provide an IP to the 'stealth' box. Now a tap, well, they would need to do some wiring to beat that one (unless there's another interface). Right?In a box with only one NIC, connected to a hardware tap with no send capabilities, even the best case for an exploiter would leave them limited to making changes to the snort box itself.. ie: they could load code to delete files, call for shutdown, etc.So it's still not hackproof, but you've greatly limited what they can do.Realistically they'd also be limited in the size of the code they could execute by the nature of the buffer overflow in snort they were exploiting.. I've never studied the old 1.9.x stream4 exploit to get an idea of roughly how much code could be executed with it.However, they'd never be able to get any kind of remote shell, or get any data out of the snort box to do much useful.Of course, your only way of getting a prompt or data out of the box would be at the physical console itself. You'd not be able to get a remote login shell, etc, either.
It's getting a little elaborate, but you have the (hypothetical) second, management interface on a DMZ and the sniffing interface on a tap. That way you have free access to the Snort box without having to wander up to it, but it has limited or no access to your internal net.
Of course if that's too much of a pain just put the management interface on your LAN and disallow all internet-bound traffic from that interface at the firewall. Someone could still compromise the Snort box through an (also hypothetical) attack via the sensor, and could cause traffic to be sent out on your LAN. But they'd be doing it all blind, and it'd be at least very tricky to do anything too particular. So it might provide security you think adequate.
Craig. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AG, (continued)
- AG M.D. DeWar (Nov 18)
- Re: AG GDHough (Nov 18)
- Re: Attack on snort running in Public Zone Matt Kettler (Nov 18)
- AG M.D. DeWar (Nov 18)
- RE: Attack on snort running in Public Zone Geoff Craig (Nov 14)
- RE: Attack on snort running in Public Zone Aaron (Nov 17)
- RE: Attack on snort running in Public Zone bmcdowell (Nov 18)
- Message not available
- RE: Attack on snort running in Public Zone Matt Kettler (Nov 18)
- RE: Attack on snort running in Public Zone Lucretia Enterprises Administrator (Nov 18)
- RE: Attack on snort running in Public Zone Matt Kettler (Nov 19)
- RE: Attack on snort running in Public Zone Jason Haar (Nov 18)
- Re: Attack on snort running in Public Zone Craig Paterson (Nov 18)
- Attack on snort running in Public Zone crtech (Nov 20)
- Message not available