[Snort-users] Snort start up on Multiple interface
mkettler at ...4108...
Wed Apr 28 14:24:04 EDT 2004
At 04:40 PM 4/28/2004, Edin Dizdarevic wrote:
> > You mean you don't chroot your snort instances? :)
>Why should I do that on an SELinux? ;)
Clearly you're not sufficiently paranoid, as a good SELinux user would
chroot anyway. After all, mistakes can be made in MAC configurations :)
use a read-only network tap
make sure the kernel is compiled without loadable module support
compile snort with some form of stack-overflow detector enhanced gcc
make sure that snort box was not able to talk to hosts outside
your network, not even for http download, no matter what user tries. (ie:
make sure the snort box cannot relay email through your mailserver
to hosts outside your network.
make sure the snort box cannot perform DNS resolution of outside
zones (dig www.snort.org should fail).
wrap the entire machine in 5 layers of copper foil, making sure to
cover up the LEDs, monitor, and keyboard in the process
disconnect the machine from all power or network connections and
burry it in 6 feet of concrete with no cables coming out.
But it's all a matter of how paranoid you want to be. My real point is that
it never hurts to be oversecure unless you're loosing functionality you need.
Clearly chrooting under selinux is a bit redundant, but it doesn't hurt
useful functionality, and protects you from mistakes so it does add some
More information about the Snort-users