OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alberto Gonzalez (ag-snort_at_cerebro.violating.us)
Date: Sun Oct 27 2002 - 21:44:09 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Jan Ploski wrote:

    >Basically, my idea would be to use a kernel module such as adore
    >(the one which seemed to work with my 2.4.x kernel without crashing it)
    >to conceal Snort's presence on the system to an unaware attacker.
    >An intruder will typically look for logs and delete them right after
    >their break-in.
    >

    when a rootkit is installing itself, the install process checks for
    other rootkits, so this idea of
    using a rootkit to hide yourself isn't the best, but that doeesn't stop
    you from coding your own
    kernel module (that doesn't need to read from a file,all instructions
    within) to do what your
    looking for.

    >But if the Snort process does not appear in the ps output, and the
    >/var/log/snort directory does not exist for ls (but is accessible as
    >/somewhere/else/.snortxyz for the administrator), how high would the
    >probabilty of an intruder covering their tracks properly be?
    >
    >>From what I know about rootkits, the only trace of one having been
    >installed would be in some system init script (which loads the kernel
    >module; thereafter it becomes invisible for lsmod). There might also
    >be a way of detecting that the NIC is runninng in the promiscuous
    >mode (how? and don't rootkits hide this fact also?). Moreover,
    >the stability and performance of the kernel running an off-the-net
    >rootkit module such as adore is questionable. Does it incur much
    >overhead on the masked system calls?
    >
    >
    http://www.packetfactory.net/Projects/sentinel/ is a remote promisc
    detection utility.
    and there are other ways to see if a card is in promisc mode. check
    ifstatus as well.

    I haven't seen a performance hit on a machine that has adore loaded. but
    I could be wrong here.

    Hope that helps

        - Albert 

    -- 
The secret to success is to start from scratch and keep on scratching.

    -------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users