Snort mailing list archives
RE: Snort-Machine = Security Hole?
From: "Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>
Date: Tue, 17 Jul 2001 08:32:44 -0700
This is exactly why you can (should) leave IPChains denying all on the snort interface. Snort will still see all the traffic and the Kernel will still drop everything... Obviously, a tap or spliced cable can keep anything from being sent from the snort interface. Taps are expensive and often ruled out. The spliced cable is kind of a work-around and may not be acceptable in many environments.. (¯`·.¸¸.·´¯` /Dan Hawrylkiw When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl. -----Original Message----- From: Andreas Steinmetz [mailto:ast () domdv de] Sent: Friday, July 13, 2001 9:55 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort-Machine = Security Hole? You should be careful to believe an ethernet interface with no ip address assigned will not process any packets. Try the following on linux 2.2.19 (possibly other versions, too, but I'm running this kernel on my production systems): Set up a network interface with no IP address. Use ipchains to deny and log all packets on this interface. Send a udp packet with destination address 255.255.255.255 to this interface and watch the firewall log. Or, if the kernel supports multicasts, send a multicast packet to this interface and watch the firewall log. In both cases the the firewall happily reports the packet was rejected on input (at least on my systems) which just means that without firewalling the kernel would have processed and delivered these packets even as there is no ip assigned to the interface. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-Machine = Security Hole?, (continued)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- Re: Snort-Machine = Security Hole? Dan Hollis (Jul 12)
- RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Snort-Machine = Security Hole? Davis, Scott (Jul 12)
- RE: Snort-Machine = Security Hole? Burleson, Lee (IA) (Jul 12)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- RE: Snort-Machine = Security Hole? ks (Jul 12)
- RE: Snort-Machine = Security Hole? Andreas Steinmetz (Jul 13)
- RE: Snort-Machine = Security Hole? Robert D. Hughes (Jul 13)
- RE: Snort-Machine = Security Hole? Dan Hollis (Jul 13)
- RE: Snort-Machine = Security Hole? Hawrylkiw, Dan G (Jul 17)
- Re: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)