[Snort-users] How does Snort protect itself ?

twig les twigles at ...131...
Mon Sep 9 20:43:03 EDT 2002


I wouldn't use snort to protect the sensor.  On top of
what V. wrote, Snort protects *itself* by running as a
normal user with no shell, and by not using shoddy
programming (no buffer overflows on bugtraq :).

Using Snort to protect your sensor is like using the
back of a screwdriver as a hammer.  It would be a
better idea to do the traditional grunt work of
hardening the OS by pruning useless services, patching
it, and firewalling it.


--- "Vinay A. Mahadik" <VAMahadik at ...6245...> wrote:
> KD Rajkumar wrote:
> 
> > Hi,
> > 
> > How does Snort protect itself against attacks. If
> an attacker is trying 
> > to take down the IDS itself, is Snort capable of
> detecting and thwarting 
> > it ?
> > 
> 
> Briefly.. although perhaps not optimized for
> self-defense, there are 
> mechanisms like 'memcap' (and consequent aggressive
> pruning, and random 
> nuking of states), and 'timeout' for preprocessors
> like frag2, stream4. 
> There's '-z est' defense against stick/snot attacks.
> For evasion 
> attacks, there are dedicated preprocessors and
> preprocessor options, and 
> some internal source code tweaks like the 1.9.x's
> pseudo-random 
> FLUSH_POINTs in stream4. These are just pointers and
> not a complete 
> list.. It would be good to have a separate
> discussion in the manual 
> about these..
> 
> --
> Vinay A. Mahadik
> Summer Intern
> System & Network Security Group
> Lawrence Berkeley National Lab
> (510) 495 2618
> 
> 
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of
> that same old
> cell phone?  Get a new here for FREE!
>
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute




More information about the Snort-users mailing list