RE: Snort sensor placement

From: George Milliken (gmilliken@farm9.com)
Date: 09/27/01 

From: "George Milliken" <gmilliken@farm9.com>
To: "Tom Lichti" <tom@redpepperracing.com>, <focus-ids@securityfocus.com>
Subject: RE: Snort sensor placement
Date: Thu, 27 Sep 2001 08:45:43 -0700
Message-ID: <NFBBIHEDEKGKIEDFMMMBOELFCCAA.gmilliken@farm9.com>

Hub between FW and cable modem, that way you see attacks that will not make
it thru the FW, thus you see what people are doing to the FW.

George
farm9

-----Original Message-----
From: Tom Lichti [mailto:tom@redpepperracing.com]
Sent: Thursday, September 27, 2001 7:57 AM
To: focus-ids@securityfocus.com
Subject: RE: Snort sensor placement

Here's a question along the same lines. This is my current setup:

 ---------- ----------- ---------- -------- -----------
| INTERNET |--| CBL MODEM |--| FIREWALL |----| SWITCH |----| SERVER(S) |
 ---------- ----------- ---------- -------- -----------

I have at my disposal a spare hub (2 actually), and possibly a spare
machine to run Snort. One caveat is the switch is very basic, with no
spanning or mirroring ports. Here are the scenarios:

1) Install Snort on an existing machine, either the firewall or the main
server. If so, which would be the best choice? FW is running OpenBSD 2.8,
server is RH 7.1.

2) Install the hub and the spare machine running snort, similar to the
diagram below. Where should the hub go? And what OS would be the choice for
the machine running Snort? It won't be a very fast machine (P300'ish), with
as much RAM as I can stuff onto the MB. Would it be possible to put it in
front of the firewall?

Thanks for any input.
Tom

--On Friday, September 21, 2001 9:55 AM -0600 Dave Vehrs
<davev@spiremedia.com> wrote:

>
> Close but what is the small hub connecting to? If its another hub then
> you will see all the traffic from it too.
>
> What I would do is this:
>
> ----- -------- ----------- --------
>| LAN |----| SWITCH |----| SMALL HUB |----| SERVER |
> ----- -------- ----------- --------
> |
> (receive only cable)->|
> |
> -------
> | SNORT |
> -------
>
> You can find information on how to build at receive only network cable at:
> http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/
>
> Then I would either manage the Snort sensor directly from its own
> monitor/keyboard or add a second "management" interface to connect back
> to a secure location on the LAN.
>
> Good Luck,
>
> Dave V.
>

Relevant Pages

  • Re: use ipchains to block all ports > 60,000
    ... snort would be an idea. ... By temporarily breaking the network connection and inserting a hub there, ... certain knowlegebut want a clean slate. ...
    (comp.os.linux.security)
  • RE: Snort sensor placement
    ... Subject: Snort sensor placement ... I have at my disposal a spare hub, ... Install the hub and the spare machine running snort, ...
    (Focus-IDS)
  • RE: Any comments on using SNORT
    ... Any comments on using SNORT ... If you set up a snort box between your dsl modem and linksys wan port, ... If you want to put your snort box on a hub in ... Make darn sure the snort box doesn't have any open ports and is ...
    (Security-Basics)
  • Re: Snapgear and SNORT
    ... > Anyone have experience with Snapgear and SNORT? ... What I have done in the past is to place a extra dumb ... your WAN from the firewall into that hub. ... unnumbered interface that also runs into the 'external' hub. ...
    (comp.security.firewalls)
  • RE: "Another" Newbie IDS Question
    ... All the snort logging traffic must travel over the "public" wire to the ... the firewall to configure and monitor for potential abuse. ... While the snort sensor will not have an outside IP address, ... network. ...
    (Focus-IDS)