[Snort-users] How does Snort protect itself ?

WTWork securitygauntlet at ...3130...
Sun Sep 15 20:09:04 EDT 2002

Not really sure this is what needs to be done. If you run Snort on a 
stealth NIC then it can't be found or tampered with there. If you firewall 
and only allow say SSH in for management and ACID (What ever you fav 
interface is) In  fro viewing alerts problem should be solved. OH ya!! Also 
one should ALWAYS harden the server the sensor is on. IDS (Hosts-based) 
systems should NOT be placed on servers requiring or running other apps. 
This is why the advent of the Snort appliance based is a great idea. Then 
you get a "Sensor in a box" not a OS/server/maintenance/admin/all the other 
stuff that comes with standard default install of servers.

This is MOHO and just take the info for what it is worth to you


At 01:50 AM 9/10/2002 +0000, KD Rajkumar wrote:
>I think it's a splendid idea to have a seperate discussion on the manual 
>page on this.
>It would be very helpful to get insight from the curators of the program, 
>Marty Roesch et al, on data structures used and other design 
>considerations for protecting Snort itself from being attacked.
>>From: "Vinay A. Mahadik" <VAMahadik at ...6245...>
>>To: KD Rajkumar <koderma at ...125...>
>>CC: snort-users at lists.sourceforge.net
>>Subject: Re: [Snort-users] How does Snort protect itself ?
>>Date: Sun, 08 Sep 2002 14:44:42 -0400
>>KD Rajkumar wrote:
>>>How does Snort protect itself against attacks. If an attacker is trying 
>>>to take down the IDS itself, is Snort capable of detecting and thwarting it ?
>>Briefly.. although perhaps not optimized for self-defense, there are 
>>mechanisms like 'memcap' (and consequent aggressive pruning, and random 
>>nuking of states), and 'timeout' for preprocessors like frag2, stream4. 
>>There's '-z est' defense against stick/snot attacks. For evasion attacks, 
>>there are dedicated preprocessors and preprocessor options, and some 
>>internal source code tweaks like the 1.9.x's pseudo-random FLUSH_POINTs 
>>in stream4. These are just pointers and not a complete list.. It would be 
>>good to have a separate discussion in the manual about these..
>>Vinay A. Mahadik
>>Summer Intern
>>System & Network Security Group
>>Lawrence Berkeley National Lab
>>(510) 495 2618
>MSN Photos is the easiest way to share and print your photos: 
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list