Questions regarding the use of Snort (IDS) and security
I've read some of the docs @ snort.org.
But I have some questions since it will be the first time i run snort and I need help from some more experienced users. Should i create a user snort to run Snort or should i run it as root ? Do you guys user a frontend to snort ?? I would like to use ACID or BASE to analyze the result but these tools require web servers etc.. things that i don't need and a misconfiguration of them should be risky for my computer. The only alternative I have found is RazorBack I have also iptables intalled on the same machine. It's my desktop but I'm under the impression that I have been compromised. I run SlackWare and use all the latest security updates plus that I run my custom 2.6.13 kernel. I remember that one day at a console in KDE i got a message: "Possible Intrusion Detection" Yesterday using WindowMaker, Firefox 1.0.6 just closed while i was reading something. Since there is nothing in /var/log/debug or /var/log/messages that indicates that there was a crash of Firefox i suspect something is going on. I don't run sshd nor Apanche. I've checked with rkhunter and i am clean. PS:how to you remove remote root logins from the sshd config file ? I don't run sshd but this option is enabled and i get a warning from rkhunter. |
In /etc/ssh/sshd_config, add/edit a line to read "PermitRootLogin no".
|
Quote:
|
these are files that get executed as root (+s)
~# find / -type f \( -perm -04000 -o -perm -02000 \) /bin/su /bin/mount /bin/umount /bin/ping /bin/ping6 /usr/bin/lppasswd /usr/bin/crontab /usr/bin/fdmount /usr/bin/chfn /usr/bin/chsh /usr/bin/chage /usr/bin/expiry /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd /usr/bin/slocate /usr/bin/wall /usr/bin/write /usr/bin/rcp /usr/bin/lockfile /usr/bin/procmail /usr/bin/rsh /usr/bin/traceroute6 /usr/bin/rlogin /usr/bin/traceroute /usr/bin/sudo /usr/sbin/utempter /usr/sbin/pppd /usr/X11R6/bin/Xorg /usr/X11R6/bin/xscreensaver /usr/local/bin/bubblemon (a dockapp in WindowMaker) /usr/libexec/pt_chown /usr/libexec/ssh-keysign /usr/libexec/gnome-pty-helper find: /proc/1868/task: No such file or directory find: /proc/1868/fd: No such file or directory find: /proc/4368/task/4368/fd/4: No such file or directory find: /proc/4368/fd/4: No such file or directory /opt/kde/bin/kdesud /opt/kde/bin/kcheckpass /opt/kde/bin/fileshareset /opt/kde/bin/kgrantpty /opt/kde/bin/kpac_dhcp_helper /opt/kde/bin/kppp Anything suspicious ? |
Nothing that strikes me as odd.
|
thnx for the info Matir.
You have been very helpful :) The only thing i run as root and it may was harmful is Cable-TV: http://sector17.tvand.net/cabletv/ |
No problem. You should also check out 'chkrootkit' to see if it finds anything on your system.
|
Quote:
I use my own custom latest kernel. Maybe i got hacked or not. I don't use binaries , only source. When i scan my pc with nmap no port is open since i am also using: --no-listen or somethin like that when i start my X server. I also used diff to compare the files that are in my system with the ones in packages i use. Files included netstat, ifonfig etc. .. and all were normal.. But that doupt is driving me crazy and i will format and be more careful next time. Also i am thinkin of using something of the above: Snort AIDE samhain among with iptables on the same machine. |
I don't think you got hacked. I'd strongly suggest you look into tripwire... snort is more effective for a whole network.
|
All times are GMT -5. The time now is 03:18 PM. |