Snort mailing list archives

Re: Stealth snort with no separate sensor hardware

From: Alberto Gonzalez <ag-snort () cerebro violating us>
Date: Sun, 27 Oct 2002 19:44:09 -0800

Jan Ploski wrote:

Basically, my idea would be to use a kernel module such as adore
(the one which seemed to work with my 2.4.x kernel without crashing it)
to conceal Snort's presence on the system to an unaware attacker.
An intruder will typically look for logs and delete them right after
their break-in.

when a rootkit is installing itself, the install process checks forother rootkits, so this idea ofusing a rootkit to hide yourself isn't the best, but that doeesn't stopyou from coding your ownkernel module (that doesn't need to read from a file,all instructionswithin) to do what your

looking for.

But if the Snort process does not appear in the ps output, and the
/var/log/snort directory does not exist for ls (but is accessible as
/somewhere/else/.snortxyz for the administrator), how high would the
probabilty of an intruder covering their tracks properly be?

From what I know about rootkits, the only trace of one having been

installed would be in some system init script (which loads the kernel
module; thereafter it becomes invisible for lsmod). There might also
be a way of detecting that the NIC is runninng in the promiscuous
mode (how? and don't rootkits hide this fact also?). Moreover,
the stability and performance of the kernel running an off-the-net
rootkit module such as adore is questionable. Does it incur much
overhead on the masked system calls?

http://www.packetfactory.net/Projects/sentinel/ is a remote promiscdetection utility.and there are other ways to see if a card is in promisc mode. checkifstatus as well.

I haven't seen a performance hit on a machine that has adore loaded. butI could be wrong here.


Hope that helps

   - Albert

--
The secret to success is to start from scratch and keep on scratching.




-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)
- RE: Stealth snort with no separate sensor hardware Wayne T Work (Oct 27)
- Re: Stealth snort with no separate sensor hardware Alberto Gonzalez (Oct 27)
- Re: Stealth snort with no separate sensor hardware quentyn (Oct 28)
- <Possible follow-ups>
- RE: Stealth snort with no separate sensor hardware Justin Jessup (Oct 27)
- RE: Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)