[Snort-users] Stealth snort with no separate sensor hardware

Jan Ploski jpljpl at ...348...
Sun Oct 27 16:05:02 EST 2002


On Sun, Oct 27, 2002 at 11:42:54PM +0000, Justin Jessup wrote:
> Nice thoughts however logic dictates a truly good hacker will run the tool
> ifstatus
> ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus
> to locate all systems running NICs in promiscuous mode

Thanks for the hint, I did not know about this tool. However, I suspect
that given the ability to override handling of system calls using
a Linux kernel module it would be possible to render a tool such
as ifstatus unusable. After all, it has to depend on some syscalls
to get the network interface status, and if the kernel is rigged so
as to report a false status, little can be done, short of replacing
the kernel. I don't know how much of this applies to BSD, but I guess
you could modify its kernel, too (though it may be more of a hassle).

> theory being it would be in the hackers best interest to map out the
> NIDs gauntlet if the hacker gains root well he/she if they are logical
> will search the system for monitors such as snort, hostsentry,
> portsentry, shadow.pl also ifconfig -a will reveal all interfaces and
> an interface that is up without an IP is a clear sign of some type of
> NID.

Indeed, and my idea was to alter the system so as to make all these
detection attempts fail. True, this steals some usefulness from these
tools when used by a legit admin, but after all YOU know what you
are running and where your sensitive files are, right? The rootkits
also contain password-protected backdoors, so that you, the installer,
are in power to disable them. Theoretically, you should be the only
person able to detect that the system has been altered at all.

> i agree with the previous post harden the systems running snort i run
> openbsd 3.2 for my dedicated snort sensors netbsd 1.6 is good also
> infact you can get segadream casts off ebay for 50$ makes a great
> snort sensor very portable netbsd 1.6 is ported to the sega they have
> an iso image also look at firewalling your snort sensors the BSDs come
> with the ipfilter firewall plus integrated ipsec

All good if you can dedicate some piece of hardware as the sensor/log
server. However, putting the $50 toy onto a server farm doing the
dedicated hosting for you would cause $75 (or likely more, I don't know
the current rates) per month in "upkeep" fees.

To put it short, I am not looking for a setup that is proven to be
bullet-proof, but for a setup that is good enough to survive a break-in
into a single server hosted in a co-location facility and provide
enough information for an admin to notice the intruder.

Best regards -
Jan Ploski





More information about the Snort-users mailing list