[Snort-users] Stealth snort with no separate sensor hardware

Justin Jessup jaager7 at ...741...
Sun Oct 27 15:43:02 EST 2002


Nice thoughts
however logic dictates
a truly good hacker will
run the tool ifstatus
ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus

also read
http://www.cert.org/advisories/CA-94.01.ongoing.network.monitoring.attacks.html

to locate all systems running NICs in
promiscuous mode
theory being it would be in the hackers best interest to map out
the NIDs gauntlet
if the hacker gains root
well he/she if they are logical
will search the system for monitors such as snort, hostsentry, portsentry, shadow.pl 
also ifconfig -a
will reveal all interfaces
and an interface that is up without
an IP is a clear sign of some type of NID.
i agree with the previous post
harden the systems running snort
i run openbsd 3.2 for my dedicated snort sensors
netbsd 1.6 is good also
infact you can get segadream casts
off ebay for 50$
makes a great snort sensor
very portable
netbsd 1.6 is ported to the sega
they have an iso image 
also look at firewalling your snort sensors
the BSDs come with the ipfilter
firewall
plus integrated ipsec
i have the snort sensors on my network logging to a mysql/acid setup on a firewalled openbsd 3.2 analysis server, all the alert data goes through an ipsec gateway setup on each sensor system and on the mysql database system
pretty damm secure setup
have fun
jj






More information about the Snort-users mailing list