Snort mailing list archives
RE: Receive Only Cable...
From: "Abe L. Getchell" <abegetchell () home com>
Date: Tue, 15 Jan 2002 00:02:04 -0500
Hi Frank! You wouldn't be able to launch a DoS against the system per say, but the application (in this case Snort) the system was running. Since the packets _are not_ being processed by the sensor's IP stack (it's running in stealth mode with IP disabled), the 'system' _would not_ 'see' or process the packets _at all_. The trick would be, as I mentioned above, to DoS the application - Snort. Making Snort choke is dependent on how it handles DoS conditions compared to an IP stack; it might not choke on the same things that make a system's IP stack choke. For instance, if I'm running a sensor on Solaris x86 (heh) monitoring my internet pipe, and I send a DoS attack into my internal network from my machine at home that I _know_ makes Solaris x86 choke, it's _not_ going to kill the sensor. The sensor's IP stack isn't processing the packets and Snort simply catches the traffics, alerts on it, and goes on about it's business. Please correct me if I'm wrong, but if IP isn't enabled as mentioned below, then why would a specific IP-based DoS work? Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Frank Knobbe Sent: Monday, January 14, 2002 7:17 PM To: 'Chris Arsenault'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Receive Only Cable... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I guess any type of ICMP and UDP flood/DoS would still work. Afterall, if Snort can see the packet, the system can. Getting in as far as hacking..... I don't think so, since no data leaves the interface (well, the cable more or less :) Regards, Frank PS: I was contemplating making a little How-to video of the creation of the cable (since I get this asked a lot). Is there interest in such a 'how do you crimp a funky cable' mpeg? - -----Original Message----- From: Chris Arsenault [mailto:carsenault () firstedcu org] Sent: Monday, January 14, 2002 5:35 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Receive Only Cable... I setup a receive only cable as described in the Snort FAQ, works like a charm!! I was just wondering with this cable and the interface it is plugged into set up as stealth, can anyone describe a possible attack which can still get to this box? Thanks, Chris Arsenault -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBPEN1EczYtOFvgXQfEQLyEACePHDdQCXnXWcsHfYh48zoi8Oo+PwAn32G v7BsTXqKAJkKEtDG8Kuq5aG9 =V30/ -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Receive Only Cable... Chris Arsenault (Jan 14)
- <Possible follow-ups>
- RE: Receive Only Cable... Frank Knobbe (Jan 14)
- Re: Receive Only Cable... Anthony Scalzitti (Jan 14)
- RE: Receive Only Cable... Abe L. Getchell (Jan 14)
- RE: Receive Only Cable... Frank Knobbe (Jan 14)
- Re: Receive Only Cable... Ian Masters (Jan 14)
- Re: Receive Only Cable... Erek Adams (Jan 15)