* Joachim Schipper <[EMAIL PROTECTED]> [2006-06-15 18:03]:
> On Tue, Jun 13, 2006 at 01:07:46AM -0600, Bob Beck wrote:
> > > Luckily, spamd greylisting saved the day. If it wasn't for BASE/snort
> > > reporting of the portscan, I wouldn't have even bothered looking in my
> > > logs
> > > tonite, and probably would never have been aware of the thwarted attempt.
> > >
> >
> > Good thing they're only portscanning and mailbombing you then,
> > and not exploiting one of the bazillions of snort overflows ;)
>
> If it was set up properly, exploiting Snort wouldn't gain anyone
> anything more serious than the ability to mess up Snort logs. Granted,
> that can be useful...
>
It'll get you root. on a machine with the ability to see all
your inbound and outbound traffic, and in 99% of the "properly setup"
cases I've ever seen still means it can inject traffic as well.
That's a big deal, imnso.
Having said that, many snort runners are also having it actively
poke their firewalls. which is even more fun.
So I'm sorry, I guess the "if it is set up properly" reads to my like
the people who don't have problems with Windows machines - "If they
are set up properly". just like I'm going to lose weight and exercise
till I have an ass of hard manly steel.. it's this mythical state that
hardly ever seems to be attainable in the real world under real
installations.
-Bob
