Slashdot Mirror
Using Snort Stealthily
jukal writes "Linux Journal has an article on using Snort as stealth sniffer, a stealth NDIS probe and stealth loger -- on a network interface with no IP address. 'Snort is a versatile and powerful tool for sniffing, intrusion detection and packet logging. Configuring it to run stealthily in sniffing mode or NIDS mode is easy; incorporating it into a stealth-logging solution is only slightly less so'"
It's easy to remain undetected with a custom patch cord, (no transmit). IIRC, 10BaseT, you simply didn't set up the TX wires, and 100BaseT, you untwisted one of the twisted pairs.
It's even possible to remain undetected with software only, but you *really* need to know what you're doing. Stuff can be detected on the ethernet layer that most people aren't aware of.
Unfortunately, firewalls are not the be-all and end-all of network security... A firewall can effectively protect your network from malicious access from the outside world, however it can not prevent hack-attacks on your systems which originate from within your network.
There are two primary reasons for hack-attacks originating inside a firewalled-zone:
1. A trojaned system, usually due to poor Antivirus policy and/or poor user education.
2. A Disgruntled employee who is out to get you!
Obviously, the best solutions to these problems are to implement a good Antivirus product and virus protection policy, and to keep your employees happy!
Unfortunately, no matter how hard you try, there are always likely to be problems you have not forseen - which is where Sniffers and NIDS tools come in. Whilst these tools are also not the sole answer to anyone's prayers, they can often help as part of an overall security system implementation.
Snort is (IMHO) one of the best NIDS tools out there - I have used Snort for a couple of years as part of an integrated security solution, and the logfiles it generates, once properly parsed, have helped me track down a number of threats to network security, and plug any holes present before the problems became serious.
Firewalls are not a panacea, nor are NIDS tools, used together though, they are much more than the sum of their parts....
Disclaimer: I meant what I thought, not what I wrote! What? You can't read my Mind? Oh dear!
There's a better article about SNORT and ACID on LinuxWorld. Also, if you want to investigate SNORT, check out the following links:
In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
You probably should work in the security world before making statements about things you clearly don't understand. tcpdump is a tool for watching all or select traffic. It dumps raw packets, and you have to figure out what to make of them. Snort is a tool for analyzing those packets and alerting on suspicious data. It provides the information you need to help you find potentially dangerous traffic.
Where I work, we have a T-3 'net connection. We typically run about 40% available bandwidth. You'll have just a *TINY* bit of trouble keeping up with that traffic if you manually analyze tcpdump logs. If you run Snort, it will do the bulk of the work, and alert you on things it thinks bear further investigation. It makes mistakes. But having it help focus your traffic checks makes the day a lot easier.
As for using a firewall, too many people have the mistaken impression that once they install a firewall, all their worries will go away. If you have an insider attacking one of your corporate servers, a firewall doesn't help with that at all. An intrusion detection system like Snort will. If you users bring in discs from home that contain trojan programs with call home features, your firewall probably won't catch that, but an intrusion detection system probably will. If your users are surfing to pr0n sites, your firewall might catch that, but an intrusion detection system has a much greater chance.
A firewall is a good thing to have, but everyone working in the security field is going to tell you that it is not enough. We have a concept which we frequently preach to newbs - defense in depth. Put as many systems in place for securing your network as you can realistically manage and track. If you have only a single security device, once an exploit comes out for that device, your network is wide open. And every single security system out there has bugs, so depending on one greatly increases your chances of getting 0wnzerized. Put in multiple systems, and you are likely to catch attacks on at least one of them, in the event that a way to avoid one part of your defense is found.
RagManX