[ale] Snort (Intrusion Detection)

Bob Toxen transam at verysecurelinux.com
Thu Mar 24 14:26:25 EST 2005 

On Thu, Mar 24, 2005 at 01:21:55PM -0500, Jonathan Rickman wrote:
> You can run snort as a non-root user by using the -u parameter. This
> makes snort run as an unprivleged user after root kicks the if into
> promisc mode. Anyone exploiting snort after it's started this way will
> not be able to use any root privs, but if they are pretty good they
> might be able to use the existing socket unless their original exploit
> caused snort to fail.
The -u parameter (and the respective capability in similar servers that
listen on privileged ports, such as named and Apache) are highly recommended
(and should be considered mandatory).

However, even so a compromise will allow a cracker to listen to all traffic
going across the wire.

Btw, Sendmail can be set up to not run as root and this is highly recommended.

> --
> Jonathan
Bob


> On Thu, 24 Mar 2005 13:06:55 -0500, Bob Toxen
> <transam at verysecurelinux.com> wrote:
> > On Thu, Mar 24, 2005 at 12:49:14PM -0500, Jeff Hubbs wrote:
> > > In practice, is Snort run *on* an Internet-facing Web server or does one
> > > run Snort on a dual-homed machine *in front of* a Web server?  Can
> > > anyone hold court on the subject?
> > It depends!  It depends on what level of security is desired and what
> > one's budget is?  Snort generally runs set-UID to root and there have
> > been remote root vulnerabilities -- as I recall.
> > 
> > For highest security, one's Firewall/IDS/IPS should be separate from what
> > it detects.  This is in case there is a remote vulnerability on the
> > Firewall/IDS/IPS software but not on the server software behind it.
> > 
> > > Jeff
> > 
> > Bob Toxen
> > bob at verysecurelinux.com               [Please use for email to me]
> > http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> > http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> > Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
> > 
> > "Microsoft: Unsafe at any clock speed!"
> >    -- Bob Toxen 10/03/2002
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list