[Snort-users] Attack on snort running in Public Zone
Lucretia Enterprises Administrator
info at ...2282...
Tue Nov 18 15:54:25 EST 2003
To bring this back on conversation, the original question was to avoid a
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Matt
> Sent: Tuesday, November 18, 2003 4:44 PM
> To: bmcdowell at ...7861...; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Attack on snort running in Public Zone
> At 04:35 PM 11/18/2003, bmcdowell at ...7861... wrote:
> >It seems to me that, second interface or not, such an exploit as the
> >example Matt gave could also be used to somehow provide an IP to the
> >'stealth' box.
> >Now a tap, well, they would need to do some wiring to beat that one
> >(unless there's another interface). Right?
> In a box with only one NIC, connected to a hardware tap with no send
> capabilities, even the best case for an exploiter would leave
> them limited
> to making changes to the snort box itself.. ie: they could load code to
> delete files, call for shutdown, etc.
> So it's still not hackproof, but you've greatly limited what they can do.
> Realistically they'd also be limited in the size of the code they could
> execute by the nature of the buffer overflow in snort they were
> exploiting.. I've never studied the old 1.9.x stream4 exploit to get an
> idea of roughly how much code could be executed with it.
> However, they'd never be able to get any kind of remote shell, or get any
> data out of the snort box to do much useful.
> Of course, your only way of getting a prompt or data out of the box would
> be at the physical console itself. You'd not be able to get a
> remote login
> shell, etc, either.
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive? Does it
> help you create better code? SHARE THE LOVE, and help us help
> YOU! Click Here: http://sourceforge.net/donate/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users