[Snort-users] Attack on snort running in Public Zone
mkettler at ...4108...
Wed Nov 19 08:17:02 EST 2003
At 07:00 PM 11/18/2003, Lucretia Enterprises Administrator wrote:
>To bring this back on conversation, the original question was to avoid a
(trimming the to: list to just the list itself)
Actually, the topic of this thread was to avoid a DoS attack against the
snort box, not a DDoS..
Since an overflow exploit in snort itself could result in a DoS attack
against the snort box, it's certainly relevant to this discussion that any
claims that a "stealth" interface with no IP address will not provide
protection against that form of DoS. It also won't provide absolute
protection from general exploitation of the box.
Technically nothing short of unplugging the snort box entirely can
absolutely protect it against all kinds of DoS attacks, but it's worth
knowing what your level of risk is and how to minimize it.
Stealth interfaces, one-way-taps, using a secured configuration of the OS
of your choice, and utilizing snort's ability to chroot/setuid (on
platforms that support chroot and setuid) are all ways to minimize the
level of risk, by limiting the kinds of attack that will be effective, and
reducing the scope of damage that can be done. This general concept is just
as applicable to DoS scenarios as full exploit scenarios, and DoS's are
even more difficult to protect against.
More information about the Snort-users