[Snort-users] Snort start up on Multiple interface

Matt Kettler mkettler at ...4108...
Wed Apr 28 14:24:04 EDT 2004


At 04:40 PM 4/28/2004, Edin Dizdarevic wrote:

> > You mean you don't chroot your snort instances? :)
>
>Why should I do that on an SELinux? ;)

Clearly you're not sufficiently paranoid, as a good SELinux user would 
chroot anyway. After all, mistakes can be made in MAC configurations :)

They'd also:
         use a read-only network tap
         make sure the kernel is compiled without loadable module support
         compile snort with some form of stack-overflow detector enhanced gcc
         make sure that snort box was not able to talk to hosts outside 
your network, not even for http download, no matter what user tries. (ie: 
firewall enforced)
         make sure the snort box cannot relay email through your mailserver 
to hosts outside your network.
         make sure the snort box cannot perform DNS resolution of outside 
zones (dig www.snort.org should fail).
         wrap the entire machine in 5 layers of copper foil, making sure to 
cover up the LEDs, monitor, and keyboard in the process
         disconnect the machine from all power or network connections and 
burry it in 6 feet of concrete with no cables coming out.

But it's all a matter of how paranoid you want to be. My real point is that 
it never hurts to be oversecure unless you're loosing functionality you need.

Clearly chrooting under selinux is a bit redundant, but it doesn't hurt 
useful functionality, and protects you from mistakes so it does add some 
security.










More information about the Snort-users mailing list