[Snort-devel] help I'm stuck inside spp_stream4.c and can't get out.

Frank Knobbe fknobbe at ...337...
Sat Jun 28 15:34:01 EDT 2003


On Sat, 2003-06-28 at 16:56, Mike Chandler wrote:
> It seemed like a good example to hold up and show people why they need
> use a receive only cable on their IDS.  If someone can find an
> overflow in a well written program like Snort, then using a tap or
> receive only cable is only sensible.

Yes, it helps in that respect that the attacker is not able to spawn a
remote shell (unless the Snort sensor has Internet access through a
second NIC which is typically confined to a management network). But
that doesn't make the sensor secure. If someone is able to issue a 'cat
/dev/urandom > /dev/hd0' or something (perhaps just a 'halt' is enough
:)  without the need for a remote shell, then the attackers goal is
accomplished. He has taken out the IDS. RO cable, tap, mirror port don't
prevent that.

Regards,
Frank



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030628/20c15cbe/attachment.sig>


More information about the Snort-devel mailing list