Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: jeru (jeruNEWHACKCITY.NET)
Date: Sat Apr 14 2001 - 04:29:46 CDT
On Thu, 12 Apr 2001, Riley Hassell wrote:
> For example say LAME5.0 IDS matches a possible overflow coming to the ftp
> server. Say a really long LIST <buffer>. It would then go and notify the
> administrator or appropriate parties. If the firewall doesn't stop this
> attack then it may succeed.
> What if my <buffer> was shellcode to throw a firewall rule up to block
> communication to the administrator. What's faster, sending an email or
> inserting a firewall rule.
Most IDS implementations use two NIC cards, one sniffing traffic on the
network not bound to an ip address and second one on a private network for
management. Thus these would probably have logs of this even if the email
was blocked somehow. If your IDS is vulnerable to break ins, you have a
bugger problem. How would you throw up a fw rule onto the fw when the ftp
server was exploited. I'm assuming they are separate machines. Putting any
services on a firewall is not a good idea, especially ftp.