[Snort-users] Re: Stealth NIC (Was: How does Snort protect itself ?)

Erek Adams erek at ...577...
Wed Sep 18 11:34:02 EDT 2002

On Tue, 17 Sep 2002, Ian Macdonald wrote:

> Actually, it may still be possible to abuse snort/IDS systems if the  NIC
> doesn't have an IP address. You limit the risk but it is still possible. If
> it is found that a certain set of packets crash snort, then there is
> potential for being able to get the snort sensor to do things at your
> command. Putting in Taps help, but since you still read live data from the
> wire and do something with it then there is always the possibility for
> abuse.
> I have heard of IDS systems that crash because they run out of memory or
> because they try and decode something bad and break. Just something to think
> about.

If you recall, not that long ago, there was a bug in Ethereal (and tcpdump,
IIRC) that could cause a remote buffer overflow just by decoding a packet.

One thing that you can do that will help 'more' is a R/O cable on a ipless
interface.  That way, traffic _can't_ enter the network since the transmit
pairs don't send any data.


Erek Adams

More information about the Snort-users mailing list