Snort mailing list archives
RE: Stealth snort with no separate sensor hardware
From: "Justin Jessup" <jaager7 () earthlink net>
Date: Sun, 27 Oct 2002 23:42:54 +0000 (GMT)
Nice thoughts however logic dictates a truly good hacker will run the tool ifstatus ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus also read http://www.cert.org/advisories/CA-94.01.ongoing.network.monitoring.attacks.html to locate all systems running NICs in promiscuous mode theory being it would be in the hackers best interest to map out the NIDs gauntlet if the hacker gains root well he/she if they are logical will search the system for monitors such as snort, hostsentry, portsentry, shadow.pl also ifconfig -a will reveal all interfaces and an interface that is up without an IP is a clear sign of some type of NID. i agree with the previous post harden the systems running snort i run openbsd 3.2 for my dedicated snort sensors netbsd 1.6 is good also infact you can get segadream casts off ebay for 50$ makes a great snort sensor very portable netbsd 1.6 is ported to the sega they have an iso image also look at firewalling your snort sensors the BSDs come with the ipfilter firewall plus integrated ipsec i have the snort sensors on my network logging to a mysql/acid setup on a firewalled openbsd 3.2 analysis server, all the alert data goes through an ipsec gateway setup on each sensor system and on the mysql database system pretty damm secure setup have fun jj ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)
- RE: Stealth snort with no separate sensor hardware Wayne T Work (Oct 27)
- Re: Stealth snort with no separate sensor hardware Alberto Gonzalez (Oct 27)
- Re: Stealth snort with no separate sensor hardware quentyn (Oct 28)
- <Possible follow-ups>
- RE: Stealth snort with no separate sensor hardware Justin Jessup (Oct 27)
- RE: Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)