[Snort-users] Can Snort Dectec R2L attack?
chong238803 at ...131...
Mon Jun 4 04:58:59 EDT 2001
Form my knowledgment , Snort is "Grep Network IDS". It only can detect attack by sniff & match, Right? Well, I read the paper " IDS Evaluation program 1998 by MIT lincoln Lab, DARPA" ,they classify attack into 4 types : Denial of service (DoS) ,probe ,user to root (u2r) , and remote to local (r2l).
Remote to Local attack - Attack by unauthroize user form outside system to hijack Privileged - is very hurmful attack . Normally on UNIX, r2l attacking will appear in network priviledged process/program service i.e. ftpd, telnetd, fingerd etc. Attacker will use some vulnerability of that program such a : Buffer overflow , Validation Input (PHF attack in CGI) , Trojan , backdoor, In snort I see some rule that can detect BOF , PHF attack by matching with data in auditing packets.
IMHO , R2L and U2R can detect by monitor by HIDS like:Saint Jude Linux Kernel Module. This way , You can detect when you was attacked. I think Network IDS is first line defence to detect before attacking to Process.....
Ok,,, I have some question about snort, network detection and R2L attack:
Q1: Have other rules can detect R2L attack in snort?
Q2 : Which and How Network Information or NIDS to implement to detect R2L? Have any paper/tool/information talk about this?
Sorry , I am not good in english and feel free to comment my message.
Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users