* Joachim Schipper <[EMAIL PROTECTED]> [2006-06-15 18:03]: > On Tue, Jun 13, 2006 at 01:07:46AM -0600, Bob Beck wrote: > > > Luckily, spamd greylisting saved the day. If it wasn't for BASE/snort > > > reporting of the portscan, I wouldn't have even bothered looking in my > > > logs > > > tonite, and probably would never have been aware of the thwarted attempt. > > > > > > > Good thing they're only portscanning and mailbombing you then, > > and not exploiting one of the bazillions of snort overflows ;) > > If it was set up properly, exploiting Snort wouldn't gain anyone > anything more serious than the ability to mess up Snort logs. Granted, > that can be useful... >
It'll get you root. on a machine with the ability to see all your inbound and outbound traffic, and in 99% of the "properly setup" cases I've ever seen still means it can inject traffic as well. That's a big deal, imnso. Having said that, many snort runners are also having it actively poke their firewalls. which is even more fun. So I'm sorry, I guess the "if it is set up properly" reads to my like the people who don't have problems with Windows machines - "If they are set up properly". just like I'm going to lose weight and exercise till I have an ass of hard manly steel.. it's this mythical state that hardly ever seems to be attainable in the real world under real installations. -Bob