Vinay Venkataraghavan wrote:
Hello,
Hello, *devil's advocate hat on*
I have implemented an bare bones Intrusion detection
system that currently detects scans like open, bouce,
half open etc and a host of other tcp scans.
As an aside, why, we have snort?
I would like to develop this into a full blown IDS
which is capable of detecting buffer overflow attacks,
sql injection etc.
I know how to implement buffer overflow attacks. But
how would an intrusion detection system detect a
buffer overflow attack. My question is at the layer
that the intrusion detection system operates, how will
it know that a particular string for exmaple is liable
to overflow a vulnerable buffer.
Erm, if you know how some buffer overflow attacks work then surely the
answer is "it depends on the application". To tell if an application is
vulnerable you would have to audit it in some manner. Either by checking
the source or doing some black-box testing on it.
Even if you did have a great big database of apps and had identifed
which of them had possible vulnerabilities it would be easier to simply
fix them rather than get an external system to disallow such inputs.
And not forgetting that you would have to have some way for your IDS to
tell what app was running behind a specific port. Thought about that yet?
Are there other open source firewall implementations
other than snort?
Snort isn't a firewall. Don't mix apples and oranges. Snort is an IDS.
The current de-facto "firewall" for linux is the iptables suite.
Cheers,
n
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
