Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Dailydave] Snorty snort snort
From: Rodney Thayer (rodneycanola-jones.com)
Date: Wed Oct 19 2005 - 10:49:23 CDT
Aleksander P. Czarnowski wrote:
> Another cool thing about NIDS vulnerabilities is how you can scan for it
> remotely without accessing local system. you can either try to exploit
> it or to crush snort. In the latter case how can you tell that is really
> crashed without accessing the snort or central console?
> This is why I just love producing exploits for such things :)
Let's just think about this for a minute. Suppose I attack a NIDS.
I do something exotic and hard, like, oh, say, writing Dave a check.
This means I send (bad packets) through the main network path,
and the NIDS, via it's tap, which may well be passive, starts coughing
At this point I as a defender assume that you as the attacker are aware
you now have a compromised box with a (possibly passive) tap on the
main network but a fully functional network interface on some management
and/or internal network. I assume you drop in some sort of exploit
payload that will figure out how to phone home or crawl around on the
management net and attack something soft (like a 2-factor token server
running on Windows) and from there you'll phone home.
Isn't that how you bad guys do it? I saw Swordfish on cable the other
night - unfortunately they watered down the nightclub hacking scene.
The response I WANT to see is that the security appliance is hardened,
for some serious value of hardened. grsecurity, immunix, selinux,
watchdog timers, some level of defense widgetry. Something. At least show
me some interesting lies in the damn powerpoint presentation. And, I assume that
watching the NIDS to see if it's alive is a thing my security infrastructure
should be doing. One of my "this is way too easy" product review tricks
is to ask security appliance vendors if they emit a log message when the
system starts. This appears to be an exotic notion. I assumes some of
you bad guys will pop a machine such that it reboots so a spurious startup
message can be scored as a red flag in my anomaly-detecting log analyzer...