[prev in list] [next in list] [prev in thread] [next in thread]
List: dailydave
Subject: RE: [Dailydave] Snorty snort snort
From: "Aleksander P. Czarnowski" <alekc () avet ! com ! pl>
Date: 2005-10-19 22:21:24
Message-ID: OIEFJBOICPHMOOCAIKNOKEBECPAA.alekc () avet ! com ! pl
[Download RAW message or body]
I'm sorry but either I didn't understand your message our you haven't followed post on this topic. My main concern was the problem for detecting such vulnerabilities in a safe way by using a vulnerability scanner so YOU as a GOOD guy could run it, detect vulnerability and patch it before the BAD guys would exploit it. I hope now this is clear... producing exploit is one of the methods for risk assessment and vulnerability impact on system, period.
BTW: shouldn't you send this question to vendors that provide such appliances?
Regards,
Aleksander Czarnowski
AVET INS
> -----Original Message-----
> From: Rodney Thayer [mailto:rodney@canola-jones.com]
> Sent: Wednesday, October 19, 2005 5:49 PM
> To: dailydave
> Subject: Re: [Dailydave] Snorty snort snort
>
>
> Aleksander P. Czarnowski wrote:
> > Another cool thing about NIDS vulnerabilities is how you can scan for it
> > remotely without accessing local system. you can either try to exploit
> > it or to crush snort. In the latter case how can you tell that is really
> > crashed without accessing the snort or central console?
> >
> > This is why I just love producing exploits for such things :)
> > Cheers,
>
> Let's just think about this for a minute. Suppose I attack a NIDS.
> I do something exotic and hard, like, oh, say, writing Dave a check.
> This means I send (bad packets) through the main network path,
> and the NIDS, via it's tap, which may well be passive, starts coughing
> furballs.
>
> At this point I as a defender assume that you as the attacker are aware
> you now have a compromised box with a (possibly passive) tap on the
> main network but a fully functional network interface on some management
> and/or internal network. I assume you drop in some sort of exploit
> payload that will figure out how to phone home or crawl around on the
> management net and attack something soft (like a 2-factor token server
> running on Windows) and from there you'll phone home.
>
> Isn't that how you bad guys do it? I saw Swordfish on cable the other
> night - unfortunately they watered down the nightclub hacking scene.
>
> The response I WANT to see is that the security appliance is hardened,
> for some serious value of hardened. grsecurity, immunix, selinux,
> watchdog timers, some level of defense widgetry. Something. At
> least show
> me some interesting lies in the damn powerpoint presentation.
> And, I assume that
> watching the NIDS to see if it's alive is a thing my security
> infrastructure
> should be doing. One of my "this is way too easy" product review tricks
> is to ask security appliance vendors if they emit a log message when the
> system starts. This appears to be an exotic notion. I assumes some of
> you bad guys will pop a machine such that it reboots so a spurious startup
> message can be scored as a red flag in my anomaly-detecting log
> analyzer...
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic