Snort mailing list archives
Re: Stealth snort with no separate sensor hardware
From: Alberto Gonzalez <ag-snort () cerebro violating us>
Date: Sun, 27 Oct 2002 19:44:09 -0800
Jan Ploski wrote:
Basically, my idea would be to use a kernel module such as adore (the one which seemed to work with my 2.4.x kernel without crashing it) to conceal Snort's presence on the system to an unaware attacker. An intruder will typically look for logs and delete them right after their break-in.
when a rootkit is installing itself, the install process checks for other rootkits, so this idea of using a rootkit to hide yourself isn't the best, but that doeesn't stop you from coding your own kernel module (that doesn't need to read from a file,all instructions within) to do what your
looking for.
http://www.packetfactory.net/Projects/sentinel/ is a remote promisc detection utility. and there are other ways to see if a card is in promisc mode. check ifstatus as well.But if the Snort process does not appear in the ps output, and the /var/log/snort directory does not exist for ls (but is accessible as /somewhere/else/.snortxyz for the administrator), how high would the probabilty of an intruder covering their tracks properly be?From what I know about rootkits, the only trace of one having beeninstalled would be in some system init script (which loads the kernel module; thereafter it becomes invisible for lsmod). There might also be a way of detecting that the NIC is runninng in the promiscuous mode (how? and don't rootkits hide this fact also?). Moreover, the stability and performance of the kernel running an off-the-net rootkit module such as adore is questionable. Does it incur much overhead on the masked system calls?
I haven't seen a performance hit on a machine that has adore loaded. but I could be wrong here.
Hope that helps - Albert -- The secret to success is to start from scratch and keep on scratching. ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)
- RE: Stealth snort with no separate sensor hardware Wayne T Work (Oct 27)
- Re: Stealth snort with no separate sensor hardware Alberto Gonzalez (Oct 27)
- Re: Stealth snort with no separate sensor hardware quentyn (Oct 28)
- <Possible follow-ups>
- RE: Stealth snort with no separate sensor hardware Justin Jessup (Oct 27)
- RE: Stealth snort with no separate sensor hardware Jan Ploski (Oct 27)