Thu Nov 23 16:36:19 EST 2017
installed would be in some system init script (which loads the kernel
module; thereafter it becomes invisible for lsmod). There might also
be a way of detecting that the NIC is runninng in the promiscuous
mode (how? and don't rootkits hide this fact also?). Moreover,
the stability and performance of the kernel running an off-the-net
rootkit module such as adore is questionable. Does it incur much
overhead on the masked system calls?
Basically, I am curious to hear your opinions. Is it a flawed idea
and a waste of effort, or could it be made into a "recommended best
practice" for small sites lacking dedicated sensor hardware? Maybe
someone does have real-life experience with a setup like this?
Best regards -
More information about the Snort-users