Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Stealth snort with no separate sensor hardware

From: quentyn () fotango com
Date: Mon, 28 Oct 2002 17:35:11 +0000
Jan Ploski wrote:


Hello,


Basically, my idea would be to use a kernel module such as adore
(the one which seemed to work with my 2.4.x kernel without crashing it)
to conceal Snort's presence on the system to an unaware attacker.
An intruder will typically look for logs and delete them right after
their break-in.



I think you want someting like the LIDS project
(http://lids.planetmirror.com/) 

you can make processes invisable as well as file systems and files ( and
allow only certain users to see files etc)


you can also make files immutable or append only and a whole load other
funky things, beware though you can make your system unbootable ( like
when you hide /etc from everything ;o) )




Q

-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
Don't get mad. Get covered in blood as you disembowel your enemies with
a chainsaw.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: