[Snort-users] Attack on snort running in Public Zone

Matt Kettler mkettler at ...4108...
Wed Nov 19 08:17:02 EST 2003

At 07:00 PM 11/18/2003, Lucretia Enterprises Administrator wrote:
>To bring this back on conversation, the original question was to avoid a
>DDoS attack...

(trimming the to: list to just the list itself)

Actually, the topic of this thread was to avoid a DoS attack against the 
snort box, not a DDoS..

Since an overflow exploit in snort itself could result in a DoS attack 
against the snort box, it's certainly relevant to this discussion that any 
claims that a "stealth" interface with no IP address will not provide 
protection against that form of DoS. It also won't provide absolute 
protection from general exploitation of the box.

Technically nothing short of unplugging the snort box entirely can 
absolutely protect it against all kinds of DoS attacks, but it's worth 
knowing what your level of risk is and how to minimize it.

Stealth interfaces, one-way-taps, using a secured configuration of the OS 
of your choice, and utilizing snort's ability to chroot/setuid (on 
platforms that support chroot and setuid) are all ways to minimize the 
level of risk, by limiting the kinds of attack that will be effective, and 
reducing the scope of damage that can be done. This general concept is just 
as applicable to DoS scenarios as full exploit scenarios, and DoS's are 
even more difficult to protect against.

More information about the Snort-users mailing list