[Dshield] Re: Guidance
josh at raintreeinc.com
Wed Feb 11 22:14:36 GMT 2004
True that they've all had isues in the past, and yes, you should keep up
with patches. Ideally, though, you have two interfaces in the sensor --
one is always in promiscuous mode on a spanning port or a hub or
something, but deliberately misconfigured (bad IP or just 'ifconfig eth1
down' or something) so that it can see anything that comes its way but
can't send anything back. All your access (to see logs, configure the
box, etc.) is through a separate interface. So basically any traffic
designed to compromise snort would have to happen with one packet or at
least without any feedback from the target machine, because it's set up
so it can't respond to anything on that interface. You still definitely
need to keep up with patches and things, but those patches become a lot
lower priority than, say, MS's ASN.1 patch...
Andrew Rucker Jones wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Sure. :) Then You have the problem of keeping up with patches, like You
> do with any software.
> Smith, Donald wrote:
> | Snort, tcpdump and all libpcap based sniffers have had issues.
> | If you track the vulnerabilities the patches have been release at
> about the same time as the vulnerability announcments.
> | Donald.Smith at qwest.com GCIA
> | http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
> | IEeeee the sound made when sliding down a slippery surface towards an
> - --
> GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
> Encrypt everything. / Alles verschlüsseln.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
Raintree Systems, Inc.
760 509 9000
More information about the list