[ale] Snort (Intrusion Detection)

Jonathan Rickman jrickman at gmail.com
Thu Mar 24 13:33:06 EST 2005


I probably should clarify that to add that on the server itself (as in
the web server) there is no need for snort to be in promisc mode to
begin with. Bob is correct that a snort box running in promisc mode
should be a dedicated machine, but I advise using the -u option even
on these machines to help mitigate the risks of a remote exploit in
snort itself.

--
Jonathan


On Thu, 24 Mar 2005 13:21:55 -0500, Jonathan Rickman <jrickman at gmail.com> wrote:
> You can run snort as a non-root user by using the -u parameter. This
> makes snort run as an unprivleged user after root kicks the if into
> promisc mode. Anyone exploiting snort after it's started this way will
> not be able to use any root privs, but if they are pretty good they
> might be able to use the existing socket unless their original exploit
> caused snort to fail.
> 
> --
> Jonathan
> 
> 
> On Thu, 24 Mar 2005 13:06:55 -0500, Bob Toxen
> <transam at verysecurelinux.com> wrote:
> > On Thu, Mar 24, 2005 at 12:49:14PM -0500, Jeff Hubbs wrote:
> > > In practice, is Snort run *on* an Internet-facing Web server or does one
> > > run Snort on a dual-homed machine *in front of* a Web server?  Can
> > > anyone hold court on the subject?
> > It depends!  It depends on what level of security is desired and what
> > one's budget is?  Snort generally runs set-UID to root and there have
> > been remote root vulnerabilities -- as I recall.
> >
> > For highest security, one's Firewall/IDS/IPS should be separate from what
> > it detects.  This is in case there is a remote vulnerability on the
> > Firewall/IDS/IPS software but not on the server software behind it.
> >
> > > Jeff
> >
> > Bob Toxen
> > bob at verysecurelinux.com               [Please use for email to me]
> > http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> > http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> > Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
> >
> > "Microsoft: Unsafe at any clock speed!"
> >    -- Bob Toxen 10/03/2002
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
>



More information about the Ale mailing list