[Snort-users] Stealth snort with no separate sensor hardware
ag-snort at ...7149...
Sun Oct 27 16:44:03 EST 2002
Jan Ploski wrote:
>Basically, my idea would be to use a kernel module such as adore
>(the one which seemed to work with my 2.4.x kernel without crashing it)
>to conceal Snort's presence on the system to an unaware attacker.
>An intruder will typically look for logs and delete them right after
when a rootkit is installing itself, the install process checks for
other rootkits, so this idea of
using a rootkit to hide yourself isn't the best, but that doeesn't stop
you from coding your own
kernel module (that doesn't need to read from a file,all instructions
within) to do what your
>But if the Snort process does not appear in the ps output, and the
>/var/log/snort directory does not exist for ls (but is accessible as
>/somewhere/else/.snortxyz for the administrator), how high would the
>probabilty of an intruder covering their tracks properly be?
>>From what I know about rootkits, the only trace of one having been
>installed would be in some system init script (which loads the kernel
>module; thereafter it becomes invisible for lsmod). There might also
>be a way of detecting that the NIC is runninng in the promiscuous
>mode (how? and don't rootkits hide this fact also?). Moreover,
>the stability and performance of the kernel running an off-the-net
>rootkit module such as adore is questionable. Does it incur much
>overhead on the masked system calls?
http://www.packetfactory.net/Projects/sentinel/ is a remote promisc
and there are other ways to see if a card is in promisc mode. check
ifstatus as well.
I haven't seen a performance hit on a machine that has adore loaded. but
I could be wrong here.
Hope that helps
The secret to success is to start from scratch and keep on scratching.
More information about the Snort-users