[Snort-devel] help I'm stuck inside spp_stream4.c and can't get out.
fknobbe at ...337...
Sat Jun 28 15:34:01 EDT 2003
On Sat, 2003-06-28 at 16:56, Mike Chandler wrote:
> It seemed like a good example to hold up and show people why they need
> use a receive only cable on their IDS. If someone can find an
> overflow in a well written program like Snort, then using a tap or
> receive only cable is only sensible.
Yes, it helps in that respect that the attacker is not able to spawn a
remote shell (unless the Snort sensor has Internet access through a
second NIC which is typically confined to a management network). But
that doesn't make the sensor secure. If someone is able to issue a 'cat
/dev/urandom > /dev/hd0' or something (perhaps just a 'halt' is enough
:) without the need for a remote shell, then the attackers goal is
accomplished. He has taken out the IDS. RO cable, tap, mirror port don't
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel