[Snort-users] Stealth snort with no separate sensor hardware

quentyn at ...3871... quentyn at ...3871...
Mon Oct 28 09:36:02 EST 2002


Jan Ploski wrote:
> 
> Hello,
> 
>
> Basically, my idea would be to use a kernel module such as adore
> (the one which seemed to work with my 2.4.x kernel without crashing it)
> to conceal Snort's presence on the system to an unaware attacker.
> An intruder will typically look for logs and delete them right after
> their break-in.


I think you want someting like the LIDS project
(http://lids.planetmirror.com/) 

you can make processes invisable as well as file systems and files ( and
allow only certain users to see files etc)


you can also make files immutable or append only and a whole load other
funky things, beware though you can make your system unbootable ( like
when you hide /etc from everything ;o) )




Q

-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
Don't get mad. Get covered in blood as you disembowel your enemies with
a chainsaw.




More information about the Snort-users mailing list