[Snort-users] How does Snort protect itself ?

Ian Macdonald secsnort at ...5528...
Tue Sep 17 07:06:03 EDT 2002


Actually, it may still be possible to abuse snort/IDS systems if the  NIC
doesn't have an IP address. You limit the risk but it is still possible. If
it is found that a certain set of packets crash snort, then there is
potential for being able to get the snort sensor to do things at your
command. Putting in Taps help, but since you still read live data from the
wire and do something with it then there is always the possibility for
abuse.

I have heard of IDS systems that crash because they run out of memory or
because they try and decode something bad and break. Just something to think
about.

Ian

----- Original Message -----
From: "WTWork" <securitygauntlet at ...3130...>
To: "KD Rajkumar" <koderma at ...125...>; <VAMahadik at ...6245...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Sunday, September 15, 2002 11:09 PM
Subject: Re: [Snort-users] How does Snort protect itself ?


> Not really sure this is what needs to be done. If you run Snort on a
> stealth NIC then it can't be found or tampered with there. If you firewall
> and only allow say SSH in for management and ACID (What ever you fav
> interface is) In  fro viewing alerts problem should be solved. OH ya!!
Also
> one should ALWAYS harden the server the sensor is on. IDS (Hosts-based)
> systems should NOT be placed on servers requiring or running other apps.
> This is why the advent of the Snort appliance based is a great idea. Then
> you get a "Sensor in a box" not a OS/server/maintenance/admin/all the
other
> stuff that comes with standard default install of servers.
>
> This is MOHO and just take the info for what it is worth to you
>
> Wayne
>
> At 01:50 AM 9/10/2002 +0000, KD Rajkumar wrote:
> >I think it's a splendid idea to have a seperate discussion on the manual
> >page on this.
> >
> >It would be very helpful to get insight from the curators of the program,
> >Marty Roesch et al, on data structures used and other design
> >considerations for protecting Snort itself from being attacked.
> >
> >
> >>From: "Vinay A. Mahadik" <VAMahadik at ...6245...>
> >>To: KD Rajkumar <koderma at ...125...>
> >>CC: snort-users at lists.sourceforge.net
> >>Subject: Re: [Snort-users] How does Snort protect itself ?
> >>Date: Sun, 08 Sep 2002 14:44:42 -0400
> >>
> >>KD Rajkumar wrote:
> >>
> >>>Hi,
> >>>
> >>>How does Snort protect itself against attacks. If an attacker is trying
> >>>to take down the IDS itself, is Snort capable of detecting and
thwarting it ?
> >>
> >>Briefly.. although perhaps not optimized for self-defense, there are
> >>mechanisms like 'memcap' (and consequent aggressive pruning, and random
> >>nuking of states), and 'timeout' for preprocessors like frag2, stream4.
> >>There's '-z est' defense against stick/snot attacks. For evasion
attacks,
> >>there are dedicated preprocessors and preprocessor options, and some
> >>internal source code tweaks like the 1.9.x's pseudo-random FLUSH_POINTs
> >>in stream4. These are just pointers and not a complete list.. It would
be
> >>good to have a separate discussion in the manual about these..
> >>
> >>--
> >>Vinay A. Mahadik
> >>Summer Intern
> >>System & Network Security Group
> >>Lawrence Berkeley National Lab
> >>(510) 495 2618
> >
> >
> >
> >
> >_________________________________________________________________
> >MSN Photos is the easiest way to share and print your photos:
> >http://photos.msn.com/support/worldwide.aspx
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by:ThinkGeek
> >Welcome to geek heaven.
> >http://thinkgeek.com/sf
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list