[ale] Snort (Intrusion Detection)

Jonathan Rickman jrickman at gmail.com
Thu Mar 24 13:29:02 EST 2005


You can run snort as a non-root user by using the -u parameter. This
makes snort run as an unprivleged user after root kicks the if into
promisc mode. Anyone exploiting snort after it's started this way will
not be able to use any root privs, but if they are pretty good they
might be able to use the existing socket unless their original exploit
caused snort to fail.

--
Jonathan


On Thu, 24 Mar 2005 13:06:55 -0500, Bob Toxen
<transam at verysecurelinux.com> wrote:
> On Thu, Mar 24, 2005 at 12:49:14PM -0500, Jeff Hubbs wrote:
> > In practice, is Snort run *on* an Internet-facing Web server or does one
> > run Snort on a dual-homed machine *in front of* a Web server?  Can
> > anyone hold court on the subject?
> It depends!  It depends on what level of security is desired and what
> one's budget is?  Snort generally runs set-UID to root and there have
> been remote root vulnerabilities -- as I recall.
> 
> For highest security, one's Firewall/IDS/IPS should be separate from what
> it detects.  This is in case there is a remote vulnerability on the
> Firewall/IDS/IPS software but not on the server software behind it.
> 
> > Jeff
> 
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
> 
> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>



More information about the Ale mailing list