RE: Stealth snort with no separate sensor hardware

["Justin Jessup" <jaager7 () earthlink net>]

Nice thoughts
however logic dictates
a truly good hacker will
run the tool ifstatus
ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus

also read
http://www.cert.org/advisories/CA-94.01.ongoing.network.monitoring.attacks.html

to locate all systems running NICs in
promiscuous mode
theory being it would be in the hackers best interest to map out
the NIDs gauntlet
if the hacker gains root
well he/she if they are logical
will search the system for monitors such as snort, hostsentry, portsentry, shadow.pl 
also ifconfig -a
will reveal all interfaces
and an interface that is up without
an IP is a clear sign of some type of NID.
i agree with the previous post
harden the systems running snort
i run openbsd 3.2 for my dedicated snort sensors
netbsd 1.6 is good also
infact you can get segadream casts
off ebay for 50$
makes a great snort sensor
very portable
netbsd 1.6 is ported to the sega
they have an iso image 
also look at firewalling your snort sensors
the BSDs come with the ipfilter
firewall
plus integrated ipsec
i have the snort sensors on my network logging to a mysql/acid setup on a firewalled openbsd 3.2 analysis server, all 
the alert data goes through an ipsec gateway setup on each sensor system and on the mysql database system
pretty damm secure setup
have fun
jj




-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users