Snort mailing list archives
Re: Antwort: RE: Snort-Machine = Security Hole?
From: Ramin Alidousti <ramin () cannon eng us uu net>
Date: Thu, 12 Jul 2001 13:50:45 -0400
Please help me understand this: if you don't have connectivity to the Internet (by means of the lack of default gateway, or blocking the Internet connectivity on the firewall, ...) how can a buffer overflow exploit, gives an attacker an active remote root session? In such a case, a buffer overflow exploit should install and run a locally executed program on the snort box with no interaction with the outside world, right? At any rate, could LIDS be of any help (at least for linux boxes)? Ramin On Thu, Jul 12, 2001 at 11:10:38AM -0500, Crow, Owen wrote:
Lack of a default gateway is another obstacle, but not insurmountable if you have root on the vulnerable box. Most modern worms attempt multiple methods of getting back to their masters, from direct connection to finding another, better connected system to compromise. All of the above rests on the possibility that an attacker can squeeze enough instructions into a buffer overflow exploit to actively continue the compromise despite being cut off from the Internet. I haven't seen it yet, but I'm sure we will in the next 5 years. I agree cutting send wires protects from all known attacks. I'm attempting to protect against PFTF attacks (paranoid-fantasy, theoretical-future :). Owen -----Original Message----- From: ks () schuricht de [mailto:ks () schuricht de] Sent: Thursday, July 12, 2001 10:26 AM To: snort-users () lists sourceforge net Subject: Antwort: RE: [Snort-users] Snort-Machine = Security Hole? Hi, but how a machine without default gateway open a connection to outer 'space'. And, if you also deny any outgoing paket from the 'snort-machine' to internet ? Seems impossible. But what happens, if they hack your frontfirewall ? ;) Best solution seems to cut the sendwires from the snort-machine from the cable connected to the dmz ;) Bye, Kai.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Antwort: RE: Snort-Machine = Security Hole? ks (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- <Possible follow-ups>
- RE: Antwort: RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Steve Hutchins (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Frank Knobbe (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)