Snort mailing list archives
Re: Stealth snort with no separate sensor hardware
From: quentyn () fotango com
Date: Mon, 28 Oct 2002 17:35:11 +0000
Jan Ploski wrote:
Hello, Basically, my idea would be to use a kernel module such as adore (the one which seemed to work with my 2.4.x kernel without crashing it) to conceal Snort's presence on the system to an unaware attacker. An intruder will typically look for logs and delete them right after their break-in.
I think you want someting like the LIDS project (http://lids.planetmirror.com/) you can make processes invisable as well as file systems and files ( and allow only certain users to see files etc) you can also make files immutable or append only and a whole load other funky things, beware though you can make your system unbootable ( like when you hide /etc from everything ;o) ) Q -- ##################### Quentyn Taylor Sysadmin - Fotango ##################### Don't get mad. Get covered in blood as you disembowel your enemies with a chainsaw. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)
- RE: Stealth snort with no separate sensor hardware Wayne T Work (Oct 27)
- Re: Stealth snort with no separate sensor hardware Alberto Gonzalez (Oct 27)
- Re: Stealth snort with no separate sensor hardware quentyn (Oct 28)
- <Possible follow-ups>
- RE: Stealth snort with no separate sensor hardware Justin Jessup (Oct 27)
- RE: Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)