https://inliniac.net/blog/tag/security/ Recent content in Security on Inliniac Hugo en Fri, 24 Aug 2007 16:26:47 +0000 https://inliniac.net/blog/2007/08/24/follow-up-on-sguil-securtiy/ Fri, 24 Aug 2007 16:26:47 +0000 https://inliniac.net/blog/2007/08/24/follow-up-on-sguil-securtiy/ <p>In the discussion about my post about Sguil security there have been a number of ideas and general thoughts. I&rsquo;d like to write about them here to we can further discuss them. There seems to be consensus on that when a sensors is rooted, there is nothing we can do to prevent injection of bogus data as long as it isn&rsquo;t malformed.</p> <p>Having the agent authenticate itself is a solution, but it relies on the agent credentials to remain secret. So when a webserver is rooted the attacker will have access to the credentials as they will be stored on the webserver itself. So this approach does provide an extra layer of defense but local roots aren&rsquo;t uncommon, so it remains risky. It may still be worth the effort though.</p> https://inliniac.net/blog/2007/08/24/thoughts-on-sguil-security/ Thu, 23 Aug 2007 22:25:26 +0000 https://inliniac.net/blog/2007/08/24/thoughts-on-sguil-security/ <p>Sguil is build using a server and sensors. Traditionally the sensors are passive monitoring agents running Snort and a few other tools. Best practice was (and still is) to separate the management network of these sensors and server from the monitored network(s). This way it would be fairly hard for an attacker to get a shot at the Sguil server.</p> <p>Sguil of course, would be a extremely interesting target for hackers. It contains so much info about the monitored network. Also, it has realtime access to all network traffic. A hacker may also be interested in shutting Sguil down to avoid detection.</p>