Snort mailing list archives

Stealth snort with no separate sensor hardware

From: Jan Ploski <jpljpl () gmx de>
Date: Sun, 27 Oct 2002 19:02:34 +0100 (CET)

Hello,

I was wondering whether it would be difficult and reasonable to hide
Snort and related files from the process list/file system for
retaining logs after a possible security breach.

I am well aware of the techniques involving installing a sensor on a
stealth NIC, installing a separate syslog server also using a stealth
NIC and the like.

What I am pondering is improving the chance of survival for logs
hosted in an environment where snort is running on the protected host
itself, in lack of hardware resources. This may be very applicable for
co-location and dedicated hosting services, where you have full
control over a SINGLE box and getting another machine to do the
logging/monitoring for you involves a significant recurring cost.

Basically, my idea would be to use a kernel module such as adore
(the one which seemed to work with my 2.4.x kernel without crashing it)
to conceal Snort's presence on the system to an unaware attacker.
An intruder will typically look for logs and delete them right after
their break-in.

But if the Snort process does not appear in the ps output, and the
/var/log/snort directory does not exist for ls (but is accessible as
/somewhere/else/.snortxyz for the administrator), how high would the
probabilty of an intruder covering their tracks properly be?

From what I know about rootkits, the only trace of one having been

installed would be in some system init script (which loads the kernel
module; thereafter it becomes invisible for lsmod). There might also
be a way of detecting that the NIC is runninng in the promiscuous
mode (how? and don't rootkits hide this fact also?). Moreover,
the stability and performance of the kernel running an off-the-net
rootkit module such as adore is questionable. Does it incur much
overhead on the masked system calls?

Basically, I am curious to hear your opinions. Is it a flawed idea
and a waste of effort, or could it be made into a "recommended best
practice" for small sites lacking dedicated sensor hardware? Maybe
someone does have real-life experience with a setup like this?

Best regards -
Jan Ploski



-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)
- RE: Stealth snort with no separate sensor hardware Wayne T Work (Oct 27)
- Re: Stealth snort with no separate sensor hardware Alberto Gonzalez (Oct 27)
- Re: Stealth snort with no separate sensor hardware quentyn (Oct 28)
- <Possible follow-ups>
- RE: Stealth snort with no separate sensor hardware Justin Jessup (Oct 27)
- RE: Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)