Snort mailing list archives
RE: Stealth snort with no separate sensor hardware
From: Jan Ploski <jpljpl () gmx de>
Date: Mon, 28 Oct 2002 01:04:29 +0100 (CET)
On Sun, Oct 27, 2002 at 11:42:54PM +0000, Justin Jessup wrote:
Nice thoughts however logic dictates a truly good hacker will run the tool ifstatus ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus to locate all systems running NICs in promiscuous mode
Thanks for the hint, I did not know about this tool. However, I suspect that given the ability to override handling of system calls using a Linux kernel module it would be possible to render a tool such as ifstatus unusable. After all, it has to depend on some syscalls to get the network interface status, and if the kernel is rigged so as to report a false status, little can be done, short of replacing the kernel. I don't know how much of this applies to BSD, but I guess you could modify its kernel, too (though it may be more of a hassle).
theory being it would be in the hackers best interest to map out the NIDs gauntlet if the hacker gains root well he/she if they are logical will search the system for monitors such as snort, hostsentry, portsentry, shadow.pl also ifconfig -a will reveal all interfaces and an interface that is up without an IP is a clear sign of some type of NID.
Indeed, and my idea was to alter the system so as to make all these detection attempts fail. True, this steals some usefulness from these tools when used by a legit admin, but after all YOU know what you are running and where your sensitive files are, right? The rootkits also contain password-protected backdoors, so that you, the installer, are in power to disable them. Theoretically, you should be the only person able to detect that the system has been altered at all.
i agree with the previous post harden the systems running snort i run openbsd 3.2 for my dedicated snort sensors netbsd 1.6 is good also infact you can get segadream casts off ebay for 50$ makes a great snort sensor very portable netbsd 1.6 is ported to the sega they have an iso image also look at firewalling your snort sensors the BSDs come with the ipfilter firewall plus integrated ipsec
All good if you can dedicate some piece of hardware as the sensor/log server. However, putting the $50 toy onto a server farm doing the dedicated hosting for you would cause $75 (or likely more, I don't know the current rates) per month in "upkeep" fees. To put it short, I am not looking for a setup that is proven to be bullet-proof, but for a setup that is good enough to survive a break-in into a single server hosted in a co-location facility and provide enough information for an admin to notice the intruder. Best regards - Jan Ploski ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)
- RE: Stealth snort with no separate sensor hardware Wayne T Work (Oct 27)
- Re: Stealth snort with no separate sensor hardware Alberto Gonzalez (Oct 27)
- Re: Stealth snort with no separate sensor hardware quentyn (Oct 28)
- <Possible follow-ups>
- RE: Stealth snort with no separate sensor hardware Justin Jessup (Oct 27)
- RE: Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)