[Snort-users] Can Snort Dectec R2L attack?

KFC chong238803 at ...131...
Mon Jun 4 04:58:59 EDT 2001

Dear All...

        Form my knowledgment , Snort is "Grep Network IDS". It only can detect attack by sniff & match, Right? Well, I read the paper " IDS Evaluation program 1998 by MIT lincoln Lab, DARPA" ,they classify attack into 4  types : Denial of service (DoS) ,probe ,user to root (u2r) , and remote to local (r2l). 

      Remote to Local attack - Attack by unauthroize user form outside system to hijack Privileged - is very hurmful attack . Normally on UNIX, r2l attacking will appear in network priviledged process/program service i.e. ftpd, telnetd, fingerd etc. Attacker will use some vulnerability of that program such a : Buffer overflow , Validation Input (PHF attack in CGI) , Trojan , backdoor, In snort I see some rule that can detect BOF , PHF attack by matching with data in auditing packets. 

   IMHO , R2L and U2R can detect by monitor by HIDS like:Saint Jude Linux Kernel Module. This way , You can detect when you was attacked. I think Network IDS is first line defence to detect before attacking to Process.....

    Ok,,, I have some question about snort, network detection and R2L attack:


  Q1: Have other rules can detect R2L attack in snort? 

  Q2 : Which and How Network Information or NIDS to implement to detect R2L? Have any paper/tool/information talk about this?

 Sorry , I am not good in english and feel free to comment my message.



Chowalit Tinny


Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010604/a8f537e0/attachment.html>

More information about the Snort-users mailing list