RE: Attack on snort running in Public Zone

[Matt Kettler <mkettler () evi-inc com>]

At 07:00 PM 11/18/2003, Lucretia Enterprises Administrator wrote:
> To bring this back on conversation, the original question was to avoid a
> DDoS attack...

(trimming the to: list to just the list itself)

Actually, the topic of this thread was to avoid a DoS attack against the 
snort box, not a DDoS..

Since an overflow exploit in snort itself could result in a DoS attack 
against the snort box, it's certainly relevant to this discussion that any 
claims that a "stealth" interface with no IP address will not provide 
protection against that form of DoS. It also won't provide absolute 
protection from general exploitation of the box.

Technically nothing short of unplugging the snort box entirely can 
absolutely protect it against all kinds of DoS attacks, but it's worth 
knowing what your level of risk is and how to minimize it.

Stealth interfaces, one-way-taps, using a secured configuration of the OS 
of your choice, and utilizing snort's ability to chroot/setuid (on 
platforms that support chroot and setuid) are all ways to minimize the 
level of risk, by limiting the kinds of attack that will be effective, and 
reducing the scope of damage that can be done. This general concept is just 
as applicable to DoS scenarios as full exploit scenarios, and DoS's are 
even more difficult to protect against.






-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users