[Snort-users] How does Snort protect itself ?

KD Rajkumar koderma at ...125...
Sun Sep 15 18:29:16 EDT 2002


I think you misunderstood my question. I wasn't asking if one could use 
Snort to protect Snort.


>From: twig les <twigles at ...131...>
>To: "Vinay A. Mahadik" <VAMahadik at ...6245...>, KD Rajkumar 
><koderma at ...125...>
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] How does Snort protect itself ?
>Date: Mon, 9 Sep 2002 20:42:47 -0700 (PDT)
>
>I wouldn't use snort to protect the sensor.  On top of
>what V. wrote, Snort protects *itself* by running as a
>normal user with no shell, and by not using shoddy
>programming (no buffer overflows on bugtraq :).
>
>Using Snort to protect your sensor is like using the
>back of a screwdriver as a hammer.  It would be a
>better idea to do the traditional grunt work of
>hardening the OS by pruning useless services, patching
>it, and firewalling it.
>
>
>--- "Vinay A. Mahadik" <VAMahadik at ...6245...> wrote:
> > KD Rajkumar wrote:
> >
> > > Hi,
> > >
> > > How does Snort protect itself against attacks. If
> > an attacker is trying
> > > to take down the IDS itself, is Snort capable of
> > detecting and thwarting
> > > it ?
> > >
> >
> > Briefly.. although perhaps not optimized for
> > self-defense, there are
> > mechanisms like 'memcap' (and consequent aggressive
> > pruning, and random
> > nuking of states), and 'timeout' for preprocessors
> > like frag2, stream4.
> > There's '-z est' defense against stick/snot attacks.
> > For evasion
> > attacks, there are dedicated preprocessors and
> > preprocessor options, and
> > some internal source code tweaks like the 1.9.x's
> > pseudo-random
> > FLUSH_POINTs in stream4. These are just pointers and
> > not a complete
> > list.. It would be good to have a separate
> > discussion in the manual
> > about these..
> >
> > --
> > Vinay A. Mahadik
> > Summer Intern
> > System & Network Security Group
> > Lawrence Berkeley National Lab
> > (510) 495 2618
> >
> >
> >
> >
> >
>-------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of
> > that same old
> > cell phone?  Get a new here for FREE!
> >
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
>https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>=====
>-----------------------------------------------------------
>Heavy metal made me do it.
>-----------------------------------------------------------
>
>__________________________________________________
>Yahoo! - We Remember
>9-11: A tribute to the more than 3,000 lives lost
>http://dir.remember.yahoo.com/tribute




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com





More information about the Snort-users mailing list