Snort mailing list archives
Stealth snort with no separate sensor hardware
From: Jan Ploski <jpljpl () gmx de>
Date: Sun, 27 Oct 2002 19:02:34 +0100 (CET)
Hello, I was wondering whether it would be difficult and reasonable to hide Snort and related files from the process list/file system for retaining logs after a possible security breach. I am well aware of the techniques involving installing a sensor on a stealth NIC, installing a separate syslog server also using a stealth NIC and the like. What I am pondering is improving the chance of survival for logs hosted in an environment where snort is running on the protected host itself, in lack of hardware resources. This may be very applicable for co-location and dedicated hosting services, where you have full control over a SINGLE box and getting another machine to do the logging/monitoring for you involves a significant recurring cost. Basically, my idea would be to use a kernel module such as adore (the one which seemed to work with my 2.4.x kernel without crashing it) to conceal Snort's presence on the system to an unaware attacker. An intruder will typically look for logs and delete them right after their break-in. But if the Snort process does not appear in the ps output, and the /var/log/snort directory does not exist for ls (but is accessible as /somewhere/else/.snortxyz for the administrator), how high would the probabilty of an intruder covering their tracks properly be?
From what I know about rootkits, the only trace of one having been
installed would be in some system init script (which loads the kernel module; thereafter it becomes invisible for lsmod). There might also be a way of detecting that the NIC is runninng in the promiscuous mode (how? and don't rootkits hide this fact also?). Moreover, the stability and performance of the kernel running an off-the-net rootkit module such as adore is questionable. Does it incur much overhead on the masked system calls? Basically, I am curious to hear your opinions. Is it a flawed idea and a waste of effort, or could it be made into a "recommended best practice" for small sites lacking dedicated sensor hardware? Maybe someone does have real-life experience with a setup like this? Best regards - Jan Ploski ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)
- RE: Stealth snort with no separate sensor hardware Wayne T Work (Oct 27)
- Re: Stealth snort with no separate sensor hardware Alberto Gonzalez (Oct 27)
- Re: Stealth snort with no separate sensor hardware quentyn (Oct 28)
- <Possible follow-ups>
- RE: Stealth snort with no separate sensor hardware Justin Jessup (Oct 27)
- RE: Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)