[Snort-users] How does Snort protect itself ?

KD Rajkumar koderma at ...125...
Sun Sep 15 18:29:09 EDT 2002


I think it's a splendid idea to have a seperate discussion on the manual 
page on this.

It would be very helpful to get insight from the curators of the program, 
Marty Roesch et al, on data structures used and other design considerations 
for protecting Snort itself from being attacked.


>From: "Vinay A. Mahadik" <VAMahadik at ...6245...>
>To: KD Rajkumar <koderma at ...125...>
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] How does Snort protect itself ?
>Date: Sun, 08 Sep 2002 14:44:42 -0400
>
>KD Rajkumar wrote:
>
>>Hi,
>>
>>How does Snort protect itself against attacks. If an attacker is trying to 
>>take down the IDS itself, is Snort capable of detecting and thwarting it ?
>>
>
>Briefly.. although perhaps not optimized for self-defense, there are 
>mechanisms like 'memcap' (and consequent aggressive pruning, and random 
>nuking of states), and 'timeout' for preprocessors like frag2, stream4. 
>There's '-z est' defense against stick/snot attacks. For evasion attacks, 
>there are dedicated preprocessors and preprocessor options, and some 
>internal source code tweaks like the 1.9.x's pseudo-random FLUSH_POINTs in 
>stream4. These are just pointers and not a complete list.. It would be good 
>to have a separate discussion in the manual about these..
>
>--
>Vinay A. Mahadik
>Summer Intern
>System & Network Security Group
>Lawrence Berkeley National Lab
>(510) 495 2618




_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx





More information about the Snort-users mailing list