RE: Snort sensor placement

From: Dave Vehrs (davev@spiremedia.com)
Date: 09/27/01

• Previous message: Rui Lapa: "Re: Snort sensor placement"
• In reply to: Tom Lichti: "RE: Snort sensor placement"
• Next in thread: Lee Binette: "Re: Snort sensor placement"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Dave Vehrs" <davev@spiremedia.com>
To: "'Tom Lichti'" <tom@redpepperracing.com>, <focus-ids@securityfocus.com>
Subject: RE: Snort sensor placement
Date: Thu, 27 Sep 2001 10:40:54 -0600
Message-ID: <005901c14773$2d64b3b0$9701010a@spiremedia.com>

With access to two machines this is what I do:

        ----------
       | Internet |
        ----------
             |
      -------------
     | Cable Modem |
      -------------
             |
     -------------- (RO-Cable) ------------------
    | External HUB |-------------| Ext Snort Sensor |
     -------------- ------------------
             | |
        ---------- |
       | Firewall | |
        ---------- |
             | |
     -------------- ----------------------------
    | Internal Hub |------| Main Server & Snort Sensor |
     -------------- ----------------------------
             |
          --------
         | Switch |
          --------
             |
     ------------------
    | Internal Network |
     ------------------

Note: If you had a switch with a monitoring port, you could eliminate the
internal hub, but I included it for this diagram because of your
requirements.

1. External Sensor
        A. Old hardware 486 100Mhz works great.
        B. Receive only Cable to External Hub
(http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/)
        C. Second NIC with dedicated Connection to Internal Snort Sensor.

2. Main Server & Snort Sensor
        A. 2 NICs (One to the Internal Network and one to External Sensor)
        B. ACID-PHP (PHP web page that accesses a MySQL database
                where the Snort Logs are stored.)
                See: http://acidlab.sourceforge.net/

This setup allows you to easily compare both what is outside the firewall
and what gets through. Or you can query the MySQL database to search for
almost any log entry that you want (i.e. only internal, only external, by
day, by week, occurs between midnight and six am, etc.).

Managing the logs is relatively easy even with limited SQL knowledge (mostly
simple commands to delete or archive all log entries older than x).

OS Question:
For the external Snort Sensor, I would use Linux (Debian with a cron job to
apt-get any security updates that come out).

Good Luck,

Dave V.

---

• Previous message: Rui Lapa: "Re: Snort sensor placement"
• In reply to: Tom Lichti: "RE: Snort sensor placement"
• Next in thread: Lee Binette: "Re: Snort sensor placement"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2001-09