Re: ddos mail attack thwarted by spamd greylisting!
Greetings I think one way to avoid all that is by using network tap, and bonding two network cards. To be honest i haven't tried it on a openBSD (bonding two network cards) but i suppose it should work.If anyone has tried snort with passive tap and openBSD i would appreciate if they share their experience(off list please). Best Regards Laurent. On 6/17/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Fri, Jun 16, 2006 at 09:44:32AM -0600, Bob Beck wrote: * Joachim Schipper [EMAIL PROTECTED] [2006-06-15 18:03]: On Tue, Jun 13, 2006 at 01:07:46AM -0600, Bob Beck wrote: Luckily, spamd greylisting saved the day. If it wasn't for BASE/snort reporting of the portscan, I wouldn't have even bothered looking in my logs tonite, and probably would never have been aware of the thwarted attempt. Good thing they're only portscanning and mailbombing you then, and not exploiting one of the bazillions of snort overflows ;) If it was set up properly, exploiting Snort wouldn't gain anyone anything more serious than the ability to mess up Snort logs. Granted, that can be useful... It'll get you root. on a machine with the ability to see all your inbound and outbound traffic, and in 99% of the properly setup cases I've ever seen still means it can inject traffic as well. Snort can run as non-root, according to the docs; 'properly setup', in that case, includes running as non-root and within a chroot jail. I actually had that working at one time, but since I don't really believe in IDS in general, it was soon scrapped - indeed, due to the fact that no dedicated listening machines were available and, as a result, it produced a lot of logs which took time to read while not really improving security [1]. This setup is, basically, no different from that oF pretty much any network-attached daemon. Only OpenSSH can not be run with such restrictions. Of course, compromising the Snort process in a sufficiently sophisticated way still allows someone to sniff all traffic; this may or may not be a problem. That's a big deal, imnso. Having said that, many snort runners are also having it actively poke their firewalls. which is even more fun. We'll agree that that is not a proper setup, though. So I'm sorry, I guess the if it is set up properly reads to my like the people who don't have problems with Windows machines - If they are set up properly. just like I'm going to lose weight and exercise till I have an ass of hard manly steel.. it's this mythical state that hardly ever seems to be attainable in the real world under real installations. Of course, that may be the case. Nonetheless, it is quite possible to exercise sufficiently to reach that condition, and it is quite possible to get Snort setup properly. Both may involve a lot of sweat, pain, and lost time, and are best done when you actually have that time, though. And yes, a Snort daemon that has not been configured properly is quite dangerous. Joachim [1] Even with very real intra-machine barriers like non-root processes in a chroot() jail, I believe in stopping attackers at the hardest barrier available - i.e., in not letting them get into the machine in the first place.
Re: ddos mail attack thwarted by spamd greylisting!
On Fri, Jun 16, 2006 at 09:44:32AM -0600, Bob Beck wrote: * Joachim Schipper [EMAIL PROTECTED] [2006-06-15 18:03]: On Tue, Jun 13, 2006 at 01:07:46AM -0600, Bob Beck wrote: Luckily, spamd greylisting saved the day. If it wasn't for BASE/snort reporting of the portscan, I wouldn't have even bothered looking in my logs tonite, and probably would never have been aware of the thwarted attempt. Good thing they're only portscanning and mailbombing you then, and not exploiting one of the bazillions of snort overflows ;) If it was set up properly, exploiting Snort wouldn't gain anyone anything more serious than the ability to mess up Snort logs. Granted, that can be useful... It'll get you root. on a machine with the ability to see all your inbound and outbound traffic, and in 99% of the properly setup cases I've ever seen still means it can inject traffic as well. Snort can run as non-root, according to the docs; 'properly setup', in that case, includes running as non-root and within a chroot jail. I actually had that working at one time, but since I don't really believe in IDS in general, it was soon scrapped - indeed, due to the fact that no dedicated listening machines were available and, as a result, it produced a lot of logs which took time to read while not really improving security [1]. This setup is, basically, no different from that oF pretty much any network-attached daemon. Only OpenSSH can not be run with such restrictions. Of course, compromising the Snort process in a sufficiently sophisticated way still allows someone to sniff all traffic; this may or may not be a problem. That's a big deal, imnso. Having said that, many snort runners are also having it actively poke their firewalls. which is even more fun. We'll agree that that is not a proper setup, though. So I'm sorry, I guess the if it is set up properly reads to my like the people who don't have problems with Windows machines - If they are set up properly. just like I'm going to lose weight and exercise till I have an ass of hard manly steel.. it's this mythical state that hardly ever seems to be attainable in the real world under real installations. Of course, that may be the case. Nonetheless, it is quite possible to exercise sufficiently to reach that condition, and it is quite possible to get Snort setup properly. Both may involve a lot of sweat, pain, and lost time, and are best done when you actually have that time, though. And yes, a Snort daemon that has not been configured properly is quite dangerous. Joachim [1] Even with very real intra-machine barriers like non-root processes in a chroot() jail, I believe in stopping attackers at the hardest barrier available - i.e., in not letting them get into the machine in the first place.
Re: ddos mail attack thwarted by spamd greylisting!
* Joachim Schipper [EMAIL PROTECTED] [2006-06-15 18:03]: On Tue, Jun 13, 2006 at 01:07:46AM -0600, Bob Beck wrote: Luckily, spamd greylisting saved the day. If it wasn't for BASE/snort reporting of the portscan, I wouldn't have even bothered looking in my logs tonite, and probably would never have been aware of the thwarted attempt. Good thing they're only portscanning and mailbombing you then, and not exploiting one of the bazillions of snort overflows ;) If it was set up properly, exploiting Snort wouldn't gain anyone anything more serious than the ability to mess up Snort logs. Granted, that can be useful... It'll get you root. on a machine with the ability to see all your inbound and outbound traffic, and in 99% of the properly setup cases I've ever seen still means it can inject traffic as well. That's a big deal, imnso. Having said that, many snort runners are also having it actively poke their firewalls. which is even more fun. So I'm sorry, I guess the if it is set up properly reads to my like the people who don't have problems with Windows machines - If they are set up properly. just like I'm going to lose weight and exercise till I have an ass of hard manly steel.. it's this mythical state that hardly ever seems to be attainable in the real world under real installations. -Bob
Re: ddos mail attack thwarted by spamd greylisting!
On Thu, Jun 15, 2006 at 10:02:49AM +0700, riwanlky wrote: Hi Guys, I am going to install IDS for my firewall. According to this message snort have problem, is there any alternative IDS? Is there any IPS? I've heard good things about Bro-IDS http://www.bro-ids.org. It's not in ports, though, and does share all the intrinsic problems of an IDS with Snort. I've never tried it myself, though. Snort-inline will work as an IPS on Linux boxes. Joachim
Re: ddos mail attack thwarted by spamd greylisting!
On Tue, Jun 13, 2006 at 01:07:46AM -0600, Bob Beck wrote: Luckily, spamd greylisting saved the day. If it wasn't for BASE/snort reporting of the portscan, I wouldn't have even bothered looking in my logs tonite, and probably would never have been aware of the thwarted attempt. Good thing they're only portscanning and mailbombing you then, and not exploiting one of the bazillions of snort overflows ;) If it was set up properly, exploiting Snort wouldn't gain anyone anything more serious than the ability to mess up Snort logs. Granted, that can be useful... Joachim
Re: ddos mail attack thwarted by spamd greylisting!
Hi Guys, I am going to install IDS for my firewall. According to this message snort have problem, is there any alternative IDS? Is there any IPS? Thanks, Riwan At 01:07 AM 6/13/2006 -0600, Bob Beck wrote: Luckily, spamd greylisting saved the day. If it wasn't for BASE/snort reporting of the portscan, I wouldn't have even bothered looking in my logs tonite, and probably would never have been aware of the thwarted attempt. Good thing they're only portscanning and mailbombing you then, and not exploiting one of the bazillions of snort overflows ;) -Bob
Re: ddos mail attack thwarted by spamd greylisting!
Luckily, spamd greylisting saved the day. If it wasn't for BASE/snort reporting of the portscan, I wouldn't have even bothered looking in my logs tonite, and probably would never have been aware of the thwarted attempt. Good thing they're only portscanning and mailbombing you then, and not exploiting one of the bazillions of snort overflows ;) -Bob