Snort mailing list archives
RE: Securing a Snort machine
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 17 Apr 2003 11:45:25 -0400
At 03:36 PM 4/17/2003 +1000, Elvira_Byrnes () mobileinnovations com au wrote:
Thanks a lot for your suggestions. What is the proper way to configure an IPless interface on the RedHat? Is it safe to run Webmin on that box?Thanks a lot. Regards Elvira
Webmin always carries a small degree of risk, since it is a powerful tool and is network accessible. If you do run it, make SURE that it's only bound to an "inside" interface and make sure that your firewall will NOT allow the internet to talk to the IP of that interface. As long as it's running only on an inside interface that's protected by a firewall it should be safe, but you are depending on the firewall.
Also, one suggestion that (shockingly) nobody on the list mentioned:It's generaly a wise idea to chroot and setuid your copy of snort. This will make it harder to exploit the machine should snort itself contain a buffer overflow (ie: like the rpc_decode bug). This is relatively easy to do, but does involve building the directories for a chroot jail.
1) make a /home/snort or something of the sort.2) under it create some directories (note that var needs to be chowned such that the user snort runs as can access it. In this example I'm using the user nobody, but you can create a special "snort" user. )
drwxr-xr-x 2 root root 512 Apr 14 17:25 dev drwxr-xr-x 2 root root 512 Dec 19 21:55 etc drwxr-xr-x 2 root root 1536 Dec 19 16:56 rules drwxr-xr-x 2 root root 512 Dec 19 18:13 sbin drwxr-xr-x 4 nobody root 512 Dec 19 20:33 var under var make a log directory drwxr-xr-x 3 nobody root 512 Dec 19 16:58 log and under log make a snort directory: drwxr-x--- 2 nobody root 1024 Apr 17 01:30 snortNote I've also made that directory chmod 750 to prevent non-root users other than nobody
3) make some entries in dev (note: mknod commands assume linux, these values are different on BSD's)
cd /home/snort/dev mknod null c 1 3 mknod zero c 1 5 4) setup syslog to have a log point within the chrootedit /etc/sysconfig/syslog such that SYSLOGD_OPTIONS contains "-a /home/snort/dev"
service syslog restart5) copy your rules into the rules directory of the chroot, and your snort.conf into it's etc. also copy snort to the chroot's sbin.
6) make a simple script to start snort with chroot: (modify it to taste) #!/bin/sh/home/snort/sbin/snort -c etc/snort-spade.conf -t /home/snort -l /var/log/snort -u nobody -i eth0 -D
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Securing a Snort machine Elvira_Byrnes (Apr 16)
- Re: Securing a Snort machine Patrick S. Harper (Apr 16)
- <Possible follow-ups>
- RE: Securing a Snort machine Elvira_Byrnes (Apr 16)
- Re: Securing a Snort machine Michael Anderson (Apr 17)
- RE: Securing a Snort machine Matt Kettler (Apr 17)
- Re: Securing a Snort machine Saad Kadhi (Apr 18)
- Performance Bottleneck Daniel R. Miessler (Apr 18)
- RE: Securing a Snort machine Elvira_Byrnes (Apr 16)
- RE: Securing a Snort machine Semerjian, Ohanes (Apr 17)
- RE: Securing a Snort machine Semerjian, Ohanes (Apr 17)
- Re: Securing a Snort machine M M (Apr 17)
- RE: Securing a Snort machine Dean Scott (Apr 17)
- RE: Securing a Snort machine Elvira_Byrnes (Apr 22)