[Snort-users] Attack on snort running in Public Zone

Matt Kettler mkettler at ...4108...
Tue Nov 18 15:43:12 EST 2003

At 04:35 PM 11/18/2003, bmcdowell at ...7861... wrote:
>It seems to me that, second interface or not, such an exploit as the
>example Matt gave could also be used to somehow provide an IP to the
>'stealth' box.
>Now a tap, well, they would need to do some wiring to beat that one
>(unless there's another interface).  Right?

In a box with only one NIC, connected to a hardware tap with no send 
capabilities, even the best case for an exploiter would leave them limited 
to making changes to the snort box itself.. ie: they could load code to 
delete files, call for shutdown, etc.

So it's still not hackproof, but you've greatly limited what they can do.

Realistically they'd also be limited in the size of the code they could 
execute by the nature of the buffer overflow in snort they were 
exploiting.. I've never studied the old 1.9.x stream4 exploit to get an 
idea of roughly how much code could be executed with it.

However, they'd never be able to get any kind of remote shell, or get any 
data out of the snort box to do much useful.

Of course, your only way of getting a prompt or data out of the box would 
be at the physical console itself. You'd not be able to get a remote login 
shell, etc, either. 

More information about the Snort-users mailing list