Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

RE: Snorty snort snort
From: "Aleksander P. Czarnowski" <alekc () avet com pl>
Date: Thu, 20 Oct 2005 00:21:24 +0200
I'm sorry but either I didn't understand your message our you haven't followed post on this topic. My main concern was 
the problem for detecting such vulnerabilities in a safe way by using a vulnerability scanner so YOU as a GOOD guy 
could run it, detect vulnerability and patch it before the BAD guys would exploit it. I hope now this is clear... 
producing exploit is one of the methods for risk assessment and vulnerability impact on system, period.

BTW: shouldn't you send this question to vendors that provide such appliances?

Regards,
Aleksander Czarnowski
AVET INS


-----Original Message-----
From: Rodney Thayer [mailto:rodney () canola-jones com]
Sent: Wednesday, October 19, 2005 5:49 PM
To: dailydave
Subject: Re: [Dailydave] Snorty snort snort


Aleksander P. Czarnowski wrote:

Another cool thing about NIDS vulnerabilities is how you can scan for it
remotely without accessing local system. you can either try to exploit
it or to crush snort. In the latter case how can you tell that is really
crashed without accessing the snort or central console? 

This is why I just love producing exploits for such things :)
Cheers,


Let's just think about this for a minute.  Suppose I attack a NIDS.
I do something exotic and hard, like, oh, say, writing Dave a check.
This means I send (bad packets) through the main network path,
and the NIDS, via it's tap, which may well be passive, starts coughing
furballs.

At this point I as a defender assume that you as the attacker are aware
you now have a compromised box with a (possibly passive) tap on the
main network but a fully functional network interface on some management
and/or internal network.  I assume you drop in some sort of exploit
payload that will figure out how to phone home or crawl around on the
management net and attack something soft (like a 2-factor token server
running on Windows) and from there you'll phone home.

Isn't that how you bad guys do it?  I saw Swordfish on cable the other
night - unfortunately they watered down the nightclub hacking scene.

The response I WANT to see is that the security appliance is hardened,
for some serious value of hardened.  grsecurity, immunix, selinux,
watchdog timers, some level of defense widgetry.  Something.  At 
least show
me some interesting lies in the damn powerpoint presentation.  
And, I assume that
watching the NIDS to see if it's alive is a thing my security 
infrastructure
should be doing.  One of my "this is way too easy" product review tricks
is to ask security appliance vendors if they emit a log message when the
system starts.  This appears to be an exotic notion.  I assumes some of
you bad guys will pop a machine such that it reboots so a spurious startup
message can be scored as a red flag in my anomaly-detecting log 
analyzer...

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]