Hi Riley,
On Thu, 12 Apr 2001, Riley Hassell wrote:
[snip]
>
> For example say LAME5.0 IDS matches a possible overflow coming to the ftp
> server. Say a really long LIST <buffer>. It would then go and notify the
> administrator or appropriate parties. If the firewall doesn't stop this
> attack then it may succeed.
>
> What if my <buffer> was shellcode to throw a firewall rule up to block
> communication to the administrator. What's faster, sending an email or
> inserting a firewall rule.

Most IDS implementations use two NIC cards, one sniffing traffic on the
network not bound to an ip address and second one on a private network for
management. Thus these would probably have logs of this even if the email
was blocked somehow. If your IDS is vulnerable to break ins, you have a
bugger problem. How would you throw up a fw rule onto the fw when the ftp
server was exploited. I'm assuming they are separate machines. Putting any
services on a firewall is not a good idea, especially ftp.

--jeru

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]