I will attempt to keep my tone low. ;]

If an IDS (IDS = snort in my case) is set up propperly, it is not a problem.
Snort should:
1) be in a restart loop with some logging/alerting when it dies.
2) be in chroot with all the files in that directory unwritable and not owned
by snort's EUID.
3) drop priveledges.
4) be logging to some other machine via some secure means.

Then you have no concerns besides the small delay in the snort crash/restart
process, and you know when snort is being restarted over and over.
That gives you the option of finding out what is causing the restarts via
ethereal or some other means.

I respectfully submit that this is a know problem that has been addressed,
and that this thread should be killed. Of course an IDS, or any other
program, can be set up incorrectly, and be a security hazard.

-Nick

Joseph Nicholas Yarbrough
Information Security Analyst
LURHQ Corporation
==========================>
843-903-4ESM (4376) ext. 312
http://www.lurhq.com
nyarbroughlurhq.com
"Information Security Specialists"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]