Snort mailing list archives
Re: (no subject)
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 07 Jun 2004 12:09:47 -0400
At 11:58 AM 6/7/2004, Mike Cohen wrote:
Im just trying to make sure that I can try to lock down my sensor as much as possible. Are there any other parameters like chroot or the like that would help lock this down?
YES.. chrooting is quite helpful, however make sure you setuid if you chroot. (a root user can break out of a chroot easily)
Make sure you chroot into a jail which doesn't have such useful things like /bin/sh in it. I generally only populate my jails in the most minimal fashion possible.
/dev typicaly only has a few utility items such as null, zero, and random. If I'm using syslog in the jail, I reconfigure my syslog init script to create a second socket in the jail's /dev.
/lib typicaly only has enough libraries to load the application. /bin and /sbin are typically empty, as is /usr/ /etc typicaly has just configs for the application at hand.Other lock-down measures include having a separate read-only interface that snort sniffs on. You can software enforce this by creating an ip-less "stealth" interface (see the snort FAQ). You can hardware enforce it by using a hardware tap, or by using a layer3 managed swithc.
------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: (no subject), (continued)
- RE: (no subject) SRH-Lists (Apr 01)
- (no subject) Christian Morales (Apr 07)
- (no subject) Nitin KAPOOR (May 02)
- (no subject) Nitin KAPOOR (May 02)
- (no subject) ac107029 (May 07)
- (no subject) Mike Cohen (Jun 05)
- upriviileged snort user (was Re: (no subject)) Ken Gunderson (Jun 06)
- Re: upriviileged snort user (was Re: (no subject)) Dirk Geschke (Jun 06)
- Re: (no subject) Matt Kettler (Jun 07)
- Re: (no subject) Mike Cohen (Jun 07)
- Re: (no subject) Matt Kettler (Jun 07)
- upriviileged snort user (was Re: (no subject)) Ken Gunderson (Jun 06)
- (no subject) Michael Shirk (Jun 07)
- (no subject) Zurt (Jun 16)