[Snort-users] Receive Only Cable...

Abe L. Getchell abegetchell at ...530...
Mon Jan 14 21:03:02 EST 2002


Hi Frank!

You wouldn't be able to launch a DoS against the system per say, but the
application (in this case Snort) the system was running.  Since the
packets _are not_ being processed by the sensor's IP stack (it's running
in stealth mode with IP disabled), the 'system' _would not_ 'see' or
process the packets _at all_.  The trick would be, as I mentioned above,
to DoS the application - Snort.  Making Snort choke is dependent on how
it handles DoS conditions compared to an IP stack; it might not choke on
the same things that make a system's IP stack choke.

For instance, if I'm running a sensor on Solaris x86 (heh) monitoring my
internet pipe, and I send a DoS attack into my internal network from my
machine at home that I _know_ makes Solaris x86 choke, it's _not_ going
to kill the sensor.  The sensor's IP stack isn't processing the packets
and Snort simply catches the traffics, alerts on it, and goes on about
it's business.

Please correct me if I'm wrong, but if IP isn't enabled as mentioned
below, then why would a specific IP-based DoS work?

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...530...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Frank
Knobbe
Sent: Monday, January 14, 2002 7:17 PM
To: 'Chris Arsenault'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Receive Only Cable...


-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
I guess any type of ICMP and UDP flood/DoS would still work. 
Afterall, if Snort can see the packet, the system can. 
  
Getting in as far as hacking..... I don't think so, since no data 
leaves the interface (well, the cable more or less :) 
  
Regards, 
Frank 
  
  
PS: I was contemplating making a little How-to video of the creation 
of the cable (since I get this asked a lot). Is there interest in 
such a 'how do you crimp a funky cable' mpeg? 
- -----Original Message----- 
From: Chris Arsenault [mailto:carsenault at ...4459...] 
Sent: Monday, January 14, 2002 5:35 PM 
To: snort-users at lists.sourceforge.net 
Subject: [Snort-users] Receive Only Cable... 


     I setup a receive only cable as described in the Snort FAQ, 
works like a charm!!  I was just wondering with this cable and the 
interface it is plugged into set up as stealth, can anyone describe a 
possible attack which can still get to this box? 
  
Thanks, 
  
Chris Arsenault 
  
  
-----BEGIN PGP SIGNATURE----- 
Version: PGP Personal Privacy 6.5.8 
Comment: PGP or S/MIME (X.509) encrypted email preferred. 
iQA/AwUBPEN1EczYtOFvgXQfEQLyEACePHDdQCXnXWcsHfYh48zoi8Oo+PwAn32G 
v7BsTXqKAJkKEtDG8Kuq5aG9 
=V30/ 
-----END PGP SIGNATURE----- 





More information about the Snort-users mailing list