[Snort-users] Stealth snort with no separate sensor hardware

Alberto Gonzalez ag-snort at ...7149...
Sun Oct 27 16:44:03 EST 2002

Jan Ploski wrote:

>Basically, my idea would be to use a kernel module such as adore
>(the one which seemed to work with my 2.4.x kernel without crashing it)
>to conceal Snort's presence on the system to an unaware attacker.
>An intruder will typically look for logs and delete them right after
>their break-in.

when a rootkit is installing itself, the install process checks for 
other rootkits, so this idea of
using a rootkit to hide yourself isn't the best, but that doeesn't stop 
you from coding your own
kernel module (that doesn't need to read from a file,all instructions 
within) to do what your
looking for.

>But if the Snort process does not appear in the ps output, and the
>/var/log/snort directory does not exist for ls (but is accessible as
>/somewhere/else/.snortxyz for the administrator), how high would the
>probabilty of an intruder covering their tracks properly be?
>>From what I know about rootkits, the only trace of one having been
>installed would be in some system init script (which loads the kernel
>module; thereafter it becomes invisible for lsmod). There might also
>be a way of detecting that the NIC is runninng in the promiscuous
>mode (how? and don't rootkits hide this fact also?). Moreover,
>the stability and performance of the kernel running an off-the-net
>rootkit module such as adore is questionable. Does it incur much
>overhead on the masked system calls?
http://www.packetfactory.net/Projects/sentinel/ is a remote promisc 
detection utility.
and there are other ways to see if a card is in promisc mode. check 
ifstatus as well.

I haven't seen a performance hit on a machine that has adore loaded. but 
I could be wrong here.

Hope that helps

    - Albert

The secret to success is to start from scratch and keep on scratching.

More information about the Snort-users mailing list