Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Snort Stealthily

Posted by Hemos on from the snicker-snicker dept.

jukal writes "Linux Journal has an article on using Snort as stealth sniffer, a stealth NDIS probe and stealth loger -- on a network interface with no IP address. 'Snort is a versatile and powerful tool for sniffing, intrusion detection and packet logging. Configuring it to run stealthily in sniffing mode or NIDS mode is easy; incorporating it into a stealth-logging solution is only slightly less so'"

7 of 148 comments (clear)

  1. Re:Warning by flonker · · Score: 5, Interesting

    It's easy to remain undetected with a custom patch cord, (no transmit). IIRC, 10BaseT, you simply didn't set up the TX wires, and 100BaseT, you untwisted one of the twisted pairs.

    It's even possible to remain undetected with software only, but you *really* need to know what you're doing. Stuff can be detected on the ethernet layer that most people aren't aware of.

  2. Interesting challenge by DragonWyatt · · Score: 4, Interesting
    Unfortunately, the NIC can still introduce errors and whatnot onto the segment... Also, don't forget that not all traffic on an ethernet segment is IP!

    The biggest problems are:
    1. A switch can mangle the packets a little before they're port-mirrored
    2. How exactly DOES one monitor >100mbit full-duplex traffic using only a single 100mbit port :) ? (dropped packets are a significant reality on a busy network)
    'Course, what you REALLY need is a good, *electrically* transparent impedance matching tap, like one of these.
    --
    Don't sweat the petty things. But do pet the sweaty things.
    1. Re:Interesting challenge by ericman31 · · Score: 3, Interesting

      2. How exactly DOES one monitor >100mbit full-duplex traffic using only a single 100mbit port :) ? (dropped packets are a significant reality on a busy network)

      Simple, you connect your firewall to a hub on each interface. You then connect your hub to the switches (or routers) that carry network traffic for each interface. On that same hub you connect your IDS, running in stealth mode. The IDS will pick up all packets, since a hub simply repeats all traffic out every port. Those packets that are dropped outbound from the firewall will be caught by the firewall syslogs. Inbound packets that are dropped are going to be of little concern if they are dropped prior to the firewall interface.

      --
      In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
  3. Re:Snort is okay by marmoset · · Score: 4, Interesting

    Whew, the ISS marketing guys really did a number on your mind, didn't they?


    I worked on intrusion detection at a site where we had two IDS systems set up in parallel, one based on RealSecure and the other being a custom tailored solution that utilized a "sensor" machine sitting in our DMZ with a quiet NIC, similar to what's described in the linked article. It used tcpdump for data collection, and saved most of our incoming and outgoing network traffic to a fast disk array for analysis (based on tcpdump filters.) Hourly scripts would process the saved packages with Snort (and a variety of other tools, some of them free and some of them custom written for us and the other sites on our WAN.)


    While RealSecure is fine for detecting bumbling script kiddies and obvious misconfigurations (like unpatched boxes becoming Nimda zombies), the tcpdump solution was far better at detecting the serious intrusion attempts, like the slow and low network probes with custom crafted packets, and telling us exactly who on our network was doing boneheaded things like using telnet across network boundaries. RealSecure's coming in a pretty box and costing a lot of money doesn't make it the end-all be-all of intrusion detection systems.


  4. Re:Snort is okay by RagManX · · Score: 4, Interesting
    But you are much better off using something like ISS' RealSecure

    The wonderful tool which is less configurable than Snort, doesn't log data as well, and provides less viewable data about packets which set off alerts.
    which feeds into either workgroup manager or their new flagship product, Site Protector.

    And this is better than Snort how? Snort can log to local or remote databases, text files, syslog, and probably other formats (but I haven't tried). It supports multiple output formats, so you can choose how you want to look at the data. It also supports loading a database from tcpdump files (Our training with ISS never covered how to do this with RealSecure, and I'm doubtful that it can be done).
    With that, you can dump all your events into a superior MS SQL 2000 server for event correlation, queries, and forensics.

    Superior in what way? It costs more than Postgres or MySQL, has more holes than any other database out there, and costs an insane amount of money compared to what most people running Snort would use (we use MySQL here, I know many people using Postgres, or you can dump to text files).
    You can also tie together your intrusion detection with your vulnerability assessment so, if you see a bunch of a certain kind of attack, you can automatically launch a vulnerability assessment with just that attack to ensure you have everything protected (and to make sure that there isn't a new development or test box sitting there insecure since you had no inkling of its existence).

    In the world of real security grunts, we like to call such a tool Nessus (http://www.nessus.org/). It scans for more vulnerabilities than ISS (the marketing claims by ISS notwithstanding), is updated more frequently, offers more flexibility in scanning options, has a better support community, and is free.

    Unfortunately for me, ISS has brainwashed many, many people in the Department of Energy. I'm forced to use their product on a day-to-day basis. On the upside, I can run Snort and Nessus to do all my real checks and detects, and the go to the ISS products I have to use, try to make them show me the data I need, and report with that. But every single site I have to deal with which uses ISS has done the same thing I've done - shoved it in a corner, set up a system with Snort and a system with Nessus, and gone about getting real work done with free, easy to use, well supported tools.

    RagManX
  5. Reasons for a security sniffer... by Anonymous Coward · · Score: 2, Interesting

    Just a little story. At my previous job (an e-commerce .com site, where our database contained probably several million credit-card#'s and email addresses), we hired a few consultants to do some Java coding...

    About a week later, because of our security tools, we discovered one of the consultants port-scanning our network. The director went and asked him why he was port scanning, with no good reply, and told him to stop doing it.

    About 2 weeks later, yet again, the *same* consultant was found port-scanning the network again, this time hitting our production website boxes at our offsite co-location (which includes the database boxes, loaded with data that only a handful of people had access to). He was promptly walked out the door, and the consulting company was asked to replace him with someone else.

    While a firewall will protect you from attacks from the outside, attacks from the inside are just as dangerous.

  6. Re:Great! by Anonymous Coward · · Score: 1, Interesting

    Would it not be easier just to do a ifconfig etx up? (note interface should be set to manual with no ip assigned).

    I just insert the comment as part of puresecures init script.