[Snort-users] Stealth snort with no separate sensor hardware

Wayne T Work securitygauntlet at ...3130...
Sun Oct 27 12:45:02 EST 2002

Here is a link to the National Security Agency Secure Linux project. I know
some of ya don't trust the Gov but its not to back of a deal.

Next I would get all the Hardening Docs on Unix and locking down the Kernel.
The NSA site above and here is the site for the National Institute of
Standards and Technologies (NIST) Docs.

READ as much as you can. Be VERY familiar with UNIX before you implement ANY
of the references. Very easy to shut yourself out.

Good luck

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jan Ploski
Sent: Sunday, October 27, 2002 1:03 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Stealth snort with no separate sensor hardware


I was wondering whether it would be difficult and reasonable to hide
Snort and related files from the process list/file system for
retaining logs after a possible security breach.

I am well aware of the techniques involving installing a sensor on a
stealth NIC, installing a separate syslog server also using a stealth
NIC and the like.

What I am pondering is improving the chance of survival for logs
hosted in an environment where snort is running on the protected host
itself, in lack of hardware resources. This may be very applicable for
co-location and dedicated hosting services, where you have full
control over a SINGLE box and getting another machine to do the
logging/monitoring for you involves a significant recurring cost.

Basically, my idea would be to use a kernel module such as adore
(the one which seemed to work with my 2.4.x kernel without crashing it)
to conceal Snort's presence on the system to an unaware attacker.
An intruder will typically look for logs and delete them right after
their break-in.

But if the Snort process does not appear in the ps output, and the
/var/log/snort directory does not exist for ls (but is accessible as
/somewhere/else/.snortxyz for the administrator), how high would the
probabilty of an intruder covering their tracks properly be?

>From what I know about rootkits, the only trace of one having been
installed would be in some system init script (which loads the kernel
module; thereafter it becomes invisible for lsmod). There might also
be a way of detecting that the NIC is runninng in the promiscuous
mode (how? and don't rootkits hide this fact also?). Moreover,
the stability and performance of the kernel running an off-the-net
rootkit module such as adore is questionable. Does it incur much
overhead on the masked system calls?

Basically, I am curious to hear your opinions. Is it a flawed idea
and a waste of effort, or could it be made into a "recommended best
practice" for small sites lacking dedicated sensor hardware? Maybe
someone does have real-life experience with a setup like this?

Best regards -
Jan Ploski

This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list