[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dailydave
Subject:    RE: [Dailydave] Snorty snort snort
From:       "Aleksander P. Czarnowski" <alekc () avet ! com ! pl>
Date:       2005-10-19 22:21:24
Message-ID: OIEFJBOICPHMOOCAIKNOKEBECPAA.alekc () avet ! com ! pl
[Download RAW message or body]

I'm sorry but either I didn't understand your message our you haven't followed post on this topic. My main concern was the problem for detecting such vulnerabilities in a safe way by using a vulnerability scanner so YOU as a GOOD guy could run it, detect vulnerability and patch it before the BAD guys would exploit it. I hope now this is clear... producing exploit is one of the methods for risk assessment and vulnerability impact on system, period.

BTW: shouldn't you send this question to vendors that provide such appliances?

Regards,
Aleksander Czarnowski
AVET INS

> -----Original Message-----
> From: Rodney Thayer [mailto:rodney@canola-jones.com]
> Sent: Wednesday, October 19, 2005 5:49 PM
> To: dailydave
> Subject: Re: [Dailydave] Snorty snort snort
> 
> 
> Aleksander P. Czarnowski wrote:
> > Another cool thing about NIDS vulnerabilities is how you can scan for it
> > remotely without accessing local system. you can either try to exploit
> > it or to crush snort. In the latter case how can you tell that is really
> > crashed without accessing the snort or central console? 
> > 
> > This is why I just love producing exploits for such things :)
> > Cheers,
> 
> Let's just think about this for a minute.  Suppose I attack a NIDS.
> I do something exotic and hard, like, oh, say, writing Dave a check.
> This means I send (bad packets) through the main network path,
> and the NIDS, via it's tap, which may well be passive, starts coughing
> furballs.
> 
> At this point I as a defender assume that you as the attacker are aware
> you now have a compromised box with a (possibly passive) tap on the
> main network but a fully functional network interface on some management
> and/or internal network.  I assume you drop in some sort of exploit
> payload that will figure out how to phone home or crawl around on the
> management net and attack something soft (like a 2-factor token server
> running on Windows) and from there you'll phone home.
> 
> Isn't that how you bad guys do it?  I saw Swordfish on cable the other
> night - unfortunately they watered down the nightclub hacking scene.
> 
> The response I WANT to see is that the security appliance is hardened,
> for some serious value of hardened.  grsecurity, immunix, selinux,
> watchdog timers, some level of defense widgetry.  Something.  At 
> least show
> me some interesting lies in the damn powerpoint presentation.  
> And, I assume that
> watching the NIDS to see if it's alive is a thing my security 
> infrastructure
> should be doing.  One of my "this is way too easy" product review tricks
> is to ask security appliance vendors if they emit a log message when the
> system starts.  This appears to be an exotic notion.  I assumes some of
> you bad guys will pop a machine such that it reboots so a spurious startup
> message can be scored as a red flag in my anomaly-detecting log 
> analyzer...


[prev in list] [next in list] [prev in thread] [next in thread]