[Dshield] Re: Guidance

Josh Tolley josh at raintreeinc.com
Wed Feb 11 22:14:36 GMT 2004

True that they've all had isues in the past, and yes, you should keep up 
with patches. Ideally, though, you have two interfaces in the sensor -- 
one is always in promiscuous mode on a spanning port or a hub or 
something, but deliberately misconfigured (bad IP or just 'ifconfig eth1 
down' or something) so that it can see anything that comes its way but 
can't send anything back. All your access (to see logs, configure the 
box, etc.) is through a separate interface. So basically any traffic 
designed to compromise snort would have to happen with one packet or at 
least without any feedback from the target machine, because it's set up 
so it can't respond to anything on that interface. You still definitely 
need to keep up with patches and things, but those patches become a lot 
lower priority than, say, MS's ASN.1 patch...

Josh Tolley

Andrew Rucker Jones wrote:

> Hash: SHA1
> Sure. :) Then You have the problem of keeping up with patches, like You
> do with any software.
>         -&
> Smith, Donald wrote:
> | Snort, tcpdump and all libpcap based sniffers have had issues.
> | If you track the vulnerabilities the patches have been release at
> about the same time as the vulnerability announcments.
> |
> | Donald.Smith at qwest.com GCIA
> | http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
> | IEeeee the sound made when sliding down a slippery surface towards an
> unknown.
> - --
> GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
> Encrypt everything. / Alles verschlüsseln.
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFAKpDZoI7tqy5bNGMRAvkpAJ9fTCJ5t32GJwdSkcJUpdj40IfBIwCeLzr0
> 9rrBB52estFC4fpA5f8tl88=
> =x8ZS

Josh Tolley
Raintree Systems, Inc.
760 509 9000

More information about the list mailing list