Snort mailing list archives
Re: Snort-Machine = Security Hole?
From: "Daniel Voyer" <daniel.voyer () cgi ca>
Date: Thu, 12 Jul 2001 08:40:51 -0400
Hey ... I don't catch this one ... Imagine this scenario: I put a hub or a switch (with span port) between my firewall and my Internet router. On this hub I place a snort machine with two nic. The first nic is directly connected to the switch with *0.0.0.0* ip address. The second nic is directly connected on a management lan somewhere in my internal network. I use first nic (0.0.0.0) to do what an IDS should do, I sniff the network with some filter.... And I use the second nic to manage my snort box and to receive any alert/log .... So now, what should be your concern about the security. How could somebody attack my snort box on the ip address 0.0.0.0 ? And if it's possible to attack my box (with ip 0.0.0.0), just in case we should be paranoid .... I can put an access list in my border router to deny any established connections on my snort box. And I will still receive any traffic passing throug the switch because I place my snort box on a span port (that's means I receive any thing than my switch put in it's buffer). So, again, how could you attack my snort box ?? - Dan I really interested to see any mail on this one. Thorsten Ziegler wrote:
Hi out there... during the last days, i've intensively explored snort and it's features - and then recognized problem i was not able to find any existing solutions... Given the location of a snort-box between the boarder router and the outer firewall - i'm aware of the security risk such a machine is creating according to the local security policy - so i decided to use the sentry-cd package and to create a diskless sniffer-station - so it's hard to compromise the machine. Next step was removing the IP of the machine (it was an private IP out of the transfer net between the router and the outer firewall). So now i'm having the problem how to bring the logging-information back in to my logging server - a second nic with a connection to the logging-server would make the cole use of the firewall obsolete - a direct link around the firewall, damnit. I'm not trusting the fact that the machine isn't able to reach from the outside without an IP... but what possibilities do i have? At first, i was thinking of syxslog-udp packets one way thorugh the firewall, a security risk less far then opening an interactive tcp-session through the firewall. But now i'm having the problem, that syslog.messages are kinda useless if i'm trying to figure out if there's an false or true security breach: i'm needing the hole packet dump - but logging to an mysql would require the establishment of an interactive TCP session from outside our firewall - i'm not glad about this idea. How did you solve this problem? I've also created an one-way utp-cable, but that doesn't look very nice in the corporate switchboard... Any suggestions are welcome.. Greetings, ZiG -- Security by obscurity _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-Machine = Security Hole? Thorsten Ziegler (Jul 11)
- Re: Snort-Machine = Security Hole? Ramin Alidousti (Jul 11)
- Re: Snort-Machine = Security Hole? barre (Jul 11)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- Re: Snort-Machine = Security Hole? Dan Hollis (Jul 12)
- <Possible follow-ups>
- RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Snort-Machine = Security Hole? Davis, Scott (Jul 12)
- RE: Snort-Machine = Security Hole? Burleson, Lee (IA) (Jul 12)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- RE: Snort-Machine = Security Hole? ks (Jul 12)
- RE: Snort-Machine = Security Hole? Andreas Steinmetz (Jul 13)
- RE: Snort-Machine = Security Hole? Robert D. Hughes (Jul 13)
- RE: Snort-Machine = Security Hole? Dan Hollis (Jul 13)
- RE: Snort-Machine = Security Hole? Hawrylkiw, Dan G (Jul 17)
- Re: Snort-Machine = Security Hole? Ramin Alidousti (Jul 11)