On Mon, Nov 04, 2002 at 07:30:37PM -0800, Gino Pietro Guidi wrote: > Basically snort was configured to dump the contents of all syslog > packets sent to a fake ip. Then that ip was set up as the loghost ip > on the remote hosts. With this configuration, in theory, you > wouldn't be able to hack into it provided the snort box had no ip's > on ANY interface and simply listened. But that doesn't mean the box is not 100% vulnerable ... let's say the snort (or some other postprocessing software) has a remotely exploitable vulnerability (say buffer overflow or format string error). Then you can in theory send some faked syslog packets (UDP) with an overflow code to any IP and let the snort accept it and process it ... the overflow can reconfigure the blackbox or simply do some damage to it. (When you're invisible and only listening it doesn't mean that nobody can hurt you...) However, this is *very good* remote logging solution in case you have to do logging over the same network as normal communication goes through. -- Martin Mačok http://underground.cz/ martin.macokat_private http://Xtrmntr.org/ORBman/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 04:23:07 PST