[Snort-users] Snort start up on Multiple interface

Milo Velimirovic milov at ...1467...
Thu Apr 29 07:24:19 EDT 2004


On Apr 28, 2004, at 4:23 PM, Matt Kettler wrote:

> At 04:40 PM 4/28/2004, Edin Dizdarevic wrote:
>
>> > You mean you don't chroot your snort instances? :)
>>
>> Why should I do that on an SELinux? ;)
>
> Clearly you're not sufficiently paranoid, as a good SELinux user would 
> chroot anyway. After all, mistakes can be made in MAC configurations 
> :)
>
> They'd also:
>         use a read-only network tap
>         make sure the kernel is compiled without loadable module 
> support
>         compile snort with some form of stack-overflow detector 
> enhanced gcc
>         make sure that snort box was not able to talk to hosts outside 
> your network, not even for http download, no matter what user tries. 
> (ie: firewall enforced)
>         make sure the snort box cannot relay email through your 
> mailserver to hosts outside your network.
>         make sure the snort box cannot perform DNS resolution of 
> outside zones (dig www.snort.org should fail).
>         wrap the entire machine in 5 layers of copper foil, making 
> sure to cover up the LEDs, monitor, and keyboard in the process

You left out the operator/sysadmin enhancements:
http://www.stopabductions.com/

>         disconnect the machine from all power or network connections 
> and burry it in 6 feet of concrete with no cables coming out.
>
> But it's all a matter of how paranoid you want to be. My real point is 
> that it never hurts to be oversecure unless you're loosing 
> functionality you need.
>
> Clearly chrooting under selinux is a bit redundant, but it doesn't 
> hurt useful functionality, and protects you from mistakes so it does 
> add some security.
>
>
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 
> 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. 
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
Milo Velimirović       <milov "at" uwlax "dot" edu>
Unix Computer Network Administrator
University of Wisconsin - La Crosse
La Crosse, Wisconsin 54601 USA   43 48 05 N 91 14 22 W

There are 10 different types of people in the world.
Those who can read binary and those who can't.






More information about the Snort-users mailing list