[Snort-users] How does Snort protect itself ?

Gary Flynn flynngn at ...6811...
Mon Sep 16 05:14:07 EDT 2002


WTWork wrote:
> 
> Not really sure this is what needs to be done. If you run Snort on a
> stealth NIC then it can't be found or tampered with there.

Keep in mind that both Ethreal and the MS Network Monitor had
defects that allowed malicious traffic in the packet stream being 
monitored to subvert the machine doing the sniffing. This type of 
attack wouldn't need an IP address.

That said, I suspect the basic snort engine is less complicated
than an engine needing to decode hundreds of different protocols
down to the individual field levels so there is probably less 
likelihood of undiscovered defects. I don't know if the same can 
be said for plug-ins.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe




More information about the Snort-users mailing list