[Snort-users] How does Snort protect itself ?

twig les twigles at ...131...
Tue Sep 10 10:35:02 EDT 2002


Not really.  My point was that Snort protects Snort
well, but not the sensor.


--- KD Rajkumar <koderma at ...125...> wrote:
> I think you misunderstood my question. I wasn't
> asking if one could use 
> Snort to protect Snort.
> 
> 
> >From: twig les <twigles at ...131...>
> >To: "Vinay A. Mahadik" <VAMahadik at ...6245...>, KD
> Rajkumar 
> ><koderma at ...125...>
> >CC: snort-users at lists.sourceforge.net
> >Subject: Re: [Snort-users] How does Snort protect
> itself ?
> >Date: Mon, 9 Sep 2002 20:42:47 -0700 (PDT)
> >
> >I wouldn't use snort to protect the sensor.  On top
> of
> >what V. wrote, Snort protects *itself* by running
> as a
> >normal user with no shell, and by not using shoddy
> >programming (no buffer overflows on bugtraq :).
> >
> >Using Snort to protect your sensor is like using
> the
> >back of a screwdriver as a hammer.  It would be a
> >better idea to do the traditional grunt work of
> >hardening the OS by pruning useless services,
> patching
> >it, and firewalling it.
> >
> >
> >--- "Vinay A. Mahadik" <VAMahadik at ...6245...> wrote:
> > > KD Rajkumar wrote:
> > >
> > > > Hi,
> > > >
> > > > How does Snort protect itself against attacks.
> If
> > > an attacker is trying
> > > > to take down the IDS itself, is Snort capable
> of
> > > detecting and thwarting
> > > > it ?
> > > >
> > >
> > > Briefly.. although perhaps not optimized for
> > > self-defense, there are
> > > mechanisms like 'memcap' (and consequent
> aggressive
> > > pruning, and random
> > > nuking of states), and 'timeout' for
> preprocessors
> > > like frag2, stream4.
> > > There's '-z est' defense against stick/snot
> attacks.
> > > For evasion
> > > attacks, there are dedicated preprocessors and
> > > preprocessor options, and
> > > some internal source code tweaks like the
> 1.9.x's
> > > pseudo-random
> > > FLUSH_POINTs in stream4. These are just pointers
> and
> > > not a complete
> > > list.. It would be good to have a separate
> > > discussion in the manual
> > > about these..
> > >
> > > --
> > > Vinay A. Mahadik
> > > Summer Intern
> > > System & Network Security Group
> > > Lawrence Berkeley National Lab
> > > (510) 495 2618
> > >
> > >
> > >
> > >
> > >
>
>-------------------------------------------------------
> > > This sf.net email is sponsored by: OSDN - Tired
> of
> > > that same old
> > > cell phone?  Get a new here for FREE!
> > >
>
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or
> > > unsubscribe:
> > >
>
>https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > >
>
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >=====
>
>-----------------------------------------------------------
> >Heavy metal made me do it.
>
>-----------------------------------------------------------
> >
> >__________________________________________________
> >Yahoo! - We Remember
> >9-11: A tribute to the more than 3,000 lives lost
> >http://dir.remember.yahoo.com/tribute
> 
> 
> 
> 
>
_________________________________________________________________
> Send and receive Hotmail on your mobile device:
> http://mobile.msn.com
> 


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute




More information about the Snort-users mailing list