On Mon, Nov 04, 2002 at 07:30:37PM -0800, Gino Pietro Guidi wrote:
> Basically snort was configured to dump the contents of all syslog
> packets sent to a fake ip. Then that ip was set up as the loghost ip
> on the remote hosts. With this configuration, in theory, you
> wouldn't be able to hack into it provided the snort box had no ip's
> on ANY interface and simply listened.
But that doesn't mean the box is not 100% vulnerable ... let's say the
snort (or some other postprocessing software) has a remotely
exploitable vulnerability (say buffer overflow or format string
error). Then you can in theory send some faked syslog packets (UDP)
with an overflow code to any IP and let the snort accept it and
process it ... the overflow can reconfigure the blackbox or simply do
some damage to it.
(When you're invisible and only listening it doesn't mean that nobody
can hurt you...)
However, this is *very good* remote logging solution in case you
have to do logging over the same network as normal communication goes
through.
--
Martin Mačok http://underground.cz/
martin.macokat_private http://Xtrmntr.org/ORBman/
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 04:23:07 PST