[Snort-users] Re: Stealth NIC (Was: How does Snort protect itself ?)
erek at ...577...
Wed Sep 18 11:34:02 EDT 2002
On Tue, 17 Sep 2002, Ian Macdonald wrote:
> Actually, it may still be possible to abuse snort/IDS systems if the NIC
> doesn't have an IP address. You limit the risk but it is still possible. If
> it is found that a certain set of packets crash snort, then there is
> potential for being able to get the snort sensor to do things at your
> command. Putting in Taps help, but since you still read live data from the
> wire and do something with it then there is always the possibility for
> I have heard of IDS systems that crash because they run out of memory or
> because they try and decode something bad and break. Just something to think
If you recall, not that long ago, there was a bug in Ethereal (and tcpdump,
IIRC) that could cause a remote buffer overflow just by decoding a packet.
One thing that you can do that will help 'more' is a R/O cable on a ipless
interface. That way, traffic _can't_ enter the network since the transmit
pairs don't send any data.
More information about the Snort-users