95% of the snort sensors I build use OpenBSD and the rest are a mix or
Linux(PAX/GrSecurity)/FreeBSD (for in-line). The exploit did not work on any
of these.
_Raju
On 10/26/05, byte_jump <bytejump@gmail.com> wrote:
On 10/26/05, Paul Melson <pmelson@gmail.com> wrote:
I saw that in the release notes. To date, my sensors have not detected
any
attempts to exploit the bo preproc. I suppose that now that there's
publicly available code that I ought to test it. ;)
PaulM
I didn't spend a ton of time on it, but I used the exploit code
against a Snort 2.4.0 Snort box with the BO preprocessor enabled.
Snort had been compiled with the SPP gcc (formerly ProPolice) and was
on a 2.4 kernel with grsecurity/PaX. It wasn't a scientific test by
any means, but the exploit did not work and seemed to fail due to
ProPolice (this is a stack-based buffer overflow). The exploit did
work against a similar server without ProPolice and grsecurity.
Honestly, I'm very disappointed that 1) Sourcefire doesn't use
ProPolice and grsecurity on their sensors, and 2) that
Snort.org<http://Snort.org>does
not encourage folks to use those security mechanisms, too. Those
security measures certainly seemed to work in my less-than-scientific
test.
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users
--
May the packets be with you.
