Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Receive Only Cable...

From: "Abe L. Getchell" <abegetchell () home com>
Date: Tue, 15 Jan 2002 00:02:04 -0500
Hi Frank!

You wouldn't be able to launch a DoS against the system per say, but the
application (in this case Snort) the system was running.  Since the
packets _are not_ being processed by the sensor's IP stack (it's running
in stealth mode with IP disabled), the 'system' _would not_ 'see' or
process the packets _at all_.  The trick would be, as I mentioned above,
to DoS the application - Snort.  Making Snort choke is dependent on how
it handles DoS conditions compared to an IP stack; it might not choke on
the same things that make a system's IP stack choke.

For instance, if I'm running a sensor on Solaris x86 (heh) monitoring my
internet pipe, and I send a DoS attack into my internal network from my
machine at home that I _know_ makes Solaris x86 choke, it's _not_ going
to kill the sensor.  The sensor's IP stack isn't processing the packets
and Snort simply catches the traffics, alerts on it, and goes on about
it's business.

Please correct me if I'm wrong, but if IP isn't enabled as mentioned
below, then why would a specific IP-based DoS work?

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell () home com

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Frank
Knobbe
Sent: Monday, January 14, 2002 7:17 PM
To: 'Chris Arsenault'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Receive Only Cable...


-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
I guess any type of ICMP and UDP flood/DoS would still work. 
Afterall, if Snort can see the packet, the system can. 
  
Getting in as far as hacking..... I don't think so, since no data 
leaves the interface (well, the cable more or less :) 
  
Regards, 
Frank 
  
  
PS: I was contemplating making a little How-to video of the creation 
of the cable (since I get this asked a lot). Is there interest in 
such a 'how do you crimp a funky cable' mpeg? 
- -----Original Message----- 
From: Chris Arsenault [mailto:carsenault () firstedcu org] 
Sent: Monday, January 14, 2002 5:35 PM 
To: snort-users () lists sourceforge net 
Subject: [Snort-users] Receive Only Cable... 


     I setup a receive only cable as described in the Snort FAQ, 
works like a charm!!  I was just wondering with this cable and the 
interface it is plugged into set up as stealth, can anyone describe a 
possible attack which can still get to this box? 
  
Thanks, 
  
Chris Arsenault 
  
  
-----BEGIN PGP SIGNATURE----- 
Version: PGP Personal Privacy 6.5.8 
Comment: PGP or S/MIME (X.509) encrypted email preferred. 
iQA/AwUBPEN1EczYtOFvgXQfEQLyEACePHDdQCXnXWcsHfYh48zoi8Oo+PwAn32G 
v7BsTXqKAJkKEtDG8Kuq5aG9 
=V30/ 
-----END PGP SIGNATURE----- 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: