Snort is running under an own userid/group pair
snort/snort. This should make sure that any buffer
overflow not yet fixed (if any) only gets the rights the snort user has. For
people for whom this is not enough you might use a changeroot'ed environment
using snort's command line option -t. But please don't
ask me how to create it, I've never done it and maybe will not do it anytime.
As with all security related systems don't allow more services as needed. If
you do a standard installation of any linux distribution take a look into
/etc/inetd.conf if your distribution is still using the
older inetd or /etc/xinetd.d/* on an
xinetd based system and disable all services
not really vital for your system. E.g. you don't want to use telnet, replace
it with ssh.
Also take a look at the initscripts, on a Sytem V based system like RedHat
found in /etc/rc.d/init.d/*. If there are any services
like nfs and portmap which you
don't use on such a system delete the corresponding packages completely.
And you should read a lot of security related papers and HOWTOs, like the
Security-HOWTO, the System Administrators
Guide or Network Administrator guide.
Or take a look on various security related websites like http://www.securityfocus.com/,
http://www.linuxsecurity.org/ or
http://www.insecure.org/
