[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

--
Jonathan


On Thu, 24 Mar 2005 13:21:55 -0500, Jonathan Rickman <jrickman at gmail.com> wrote:
> You can run snort as a non-root user by using the -u parameter. This
> makes snort run as an unprivleged user after root kicks the if into
> promisc mode. Anyone exploiting snort after it's started this way will
> not be able to use any root privs, but if they are pretty good they
> might be able to use the existing socket unless their original exploit
> caused snort to fail.
> 
> --
> Jonathan
> 
> 
> On Thu, 24 Mar 2005 13:06:55 -0500, Bob Toxen
> <transam at verysecurelinux.com> wrote:
> > On Thu, Mar 24, 2005 at 12:49:14PM -0500, Jeff Hubbs wrote:
> > > In practice, is Snort run *on* an Internet-facing Web server or does one
> > > run Snort on a dual-homed machine *in front of* a Web server?  Can
> > > anyone hold court on the subject?
> > It depends!  It depends on what level of security is desired and what
> > one's budget is?  Snort generally runs set-UID to root and there have
> > been remote root vulnerabilities -- as I recall.
> >
> > For highest security, one's Firewall/IDS/IPS should be separate from what
> > it detects.  This is in case there is a remote vulnerability on the
> > Firewall/IDS/IPS software but not on the server software behind it.
> >
> > > Jeff
> >
> > Bob Toxen
> > bob at verysecurelinux.com               [Please use for email to me]
&gt; &gt; <a  rel="nofollow" href="http://www.verysecurelinux.com";>http://www.verysecurelinux.com</a>        [Network&amp;Linux/Unix security consulting]
&gt; &gt; <a  rel="nofollow" href="http://www.realworldlinuxsecurity.com";>http://www.realworldlinuxsecurity.com</a> [My book:&quot;Real World Linux Security 2/e&quot;]
&gt; &gt; Quality Linux &amp; UNIX security and SysAdmin &amp; software consulting since 1990.
&gt; &gt;
&gt; &gt; &quot;Microsoft: Unsafe at any clock speed!&quot;
&gt; &gt;    -- Bob Toxen 10/03/2002
&gt; &gt; _______________________________________________
&gt; &gt; Ale mailing list
&gt; &gt; Ale at ale.org
&gt; &gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt; &gt;
&gt;


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00424" href="msg00424.html">[ale] Snort (Intrusion Detection)</a></strong>
<ul><li><em>From:</em> hbbs at comcast.net (Jeff Hubbs)</li></ul></li>
<li><strong><a name="00426" href="msg00426.html">[ale] Snort (Intrusion Detection)</a></strong>
<ul><li><em>From:</em> transam at verysecurelinux.com (Bob Toxen)</li></ul></li>
<li><strong><a name="00428" href="msg00428.html">[ale] Snort (Intrusion Detection)</a></strong>
<ul><li><em>From:</em> jrickman at gmail.com (Jonathan Rickman)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00428.html">[ale] Snort (Intrusion Detection)</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00430.html">[ale] Snort (Intrusion Detection)</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00428.html">[ale] Snort (Intrusion Detection)</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00430.html">[ale] Snort (Intrusion Detection)</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00429"><strong>Date</strong></a></li>
<li><a href="threads.html#00429"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>