On Fri, Jun 16, 2006 at 09:44:32AM -0600, Bob Beck wrote:
> * Joachim Schipper <[EMAIL PROTECTED]> [2006-06-15 18:03]:
> > On Tue, Jun 13, 2006 at 01:07:46AM -0600, Bob Beck wrote:
> > > > Luckily, spamd greylisting saved the day. If it wasn't for BASE/snort
> > > > reporting of the portscan, I wouldn't have even bothered looking
> > > > in my logs tonite, and probably would never have been aware of
> > > > the thwarted attempt.
> > >
> > > Good thing they're only portscanning and mailbombing you then,
> > > and not exploiting one of the bazillions of snort overflows ;)
> >
> > If it was set up properly, exploiting Snort wouldn't gain anyone
> > anything more serious than the ability to mess up Snort logs. Granted,
> > that can be useful...
>
> It'll get you root. on a machine with the ability to see all
> your inbound and outbound traffic, and in 99% of the "properly setup"
> cases I've ever seen still means it can inject traffic as well.
Snort can run as non-root, according to the docs; 'properly setup', in
that case, includes running as non-root and within a chroot jail. I
actually had that working at one time, but since I don't really believe
in IDS in general, it was soon scrapped - indeed, due to the fact that
no dedicated listening machines were available and, as a result, it
produced a lot of logs which took time to read while not really
improving security [1].
This setup is, basically, no different from that oF pretty much any
network-attached daemon. Only OpenSSH can not be run with such
restrictions.
Of course, compromising the Snort process in a sufficiently
sophisticated way still allows someone to sniff all traffic; this may or
may not be a problem.
> That's a big deal, imnso.
>
> Having said that, many snort runners are also having it actively
> poke their firewalls. which is even more fun.
We'll agree that that is not a proper setup, though.
> So I'm sorry, I guess the "if it is set up properly" reads to my like
> the people who don't have problems with Windows machines - "If they
> are set up properly". just like I'm going to lose weight and exercise
> till I have an ass of hard manly steel.. it's this mythical state that
> hardly ever seems to be attainable in the real world under real
> installations.
Of course, that may be the case. Nonetheless, it is quite possible to
exercise sufficiently to reach that condition, and it is quite possible
to get Snort setup properly.
Both may involve a lot of sweat, pain, and lost time, and are best done
when you actually have that time, though. And yes, a Snort daemon that
has not been configured properly is quite dangerous.
Joachim
[1] Even with very real intra-machine barriers like non-root processes
in a chroot() jail, I believe in stopping attackers at the hardest
barrier available - i.e., in not letting them get into the machine in
the first place.
