Security Basics mailing list archives

Re: Locking down Snort

From: Nelson Santos <nsantos () gmail com>
Date: Tue, 29 Jun 2004 08:59:15 -0300

Carey,

Sniffing is done at the Link Layer (Datalink on OSI) and IP is at the
Network Layer. That's why you where able to sniff without an IP.

Nelson.

On Fri, 25 Jun 2004 16:04:31 -0800, Carey Myers <cmlist170 () hotmail com> wrote:


Jose,

You didn't say whether you are using windows or linux Snort.  I will assume
when you said IPtables you were referring to *nix, although it does not
really change my response.  I am also making assumptions that you are now
seeing network traffic that would be ignored unless your sniffer NIC was
properly set in promiscuous mode, thus indicating successful snort
configuration and function.

Someone else may speak up with a more in-depth knowledge than myself, but
consider this:

As I understand it, a network interface ignores packets not associated with
an address it is supposed to answer for UNLESS it is set in promiscuous mode
(aside from broadcast messages but that's another matter).  This would
indicate to me that whatever raw driver is doing the sniffing for Snort
(*nix and windows both) sees the packets BEFORE the standard OS IP stack
gets it--at least for traffic not destined for the ip the card answers for.
Otherwise the traffic not bound for the sniffing interface would be dropped
before it gets analyzed by snort, yes?

I have successfully removed and 'disabled' an interface with regards to
TCP/IP in both *nix and windows and still had them sniff properly using
snort.  In fact, I have placed an unpatched windows 2000 snort box
(stand-alone, I'm not crazy!) on the outside of my firewall with no
antivirus whatsoever and NO IP associated with it and it withstood Blaster
and various other IP-based worms and even professional penetration testing
without incident, indicating to me that the OS IP stack is not associated at
all (or ENOUGH anyway) with the sniffing done for Snort.  I still use a
windows snort box with IPSEC authentication only to my desktop machine
inside my firewall to give me a better profile on my network.  It refuses
all connections from any other ip and even mine without the correct seed
phrase set up in IPSEC. (Certificates would be better, but I haven't gotten
around to that.)  The box still sniffs traffic as desired.

I humbly accept any corrections the group may have for incorrect or
misleading statements.  I am speaking from observation only:  not from an
in-depth knowledge of how (libpcap, winpcap?) drivers are used to put a NIC
in promiscuous node or in what order with respect to an operating system's
own stack.

Hope this helps,

Carey

Jose Guevarra asked,

- if I blocked those ports from the outside world would I still detect say a
port scan on those ports?

- Who captures the packets first: Firewall(IPTABLES) or SNORT?

_________________________________________________________________
MSN Movies - Trailers, showtimes, DVD's, and the latest news from Hollywood!
http://movies.msn.click-url.com/go/onm00200509ave/direct/01/

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

locking down snort Jose Guevarra (Jun 25)
- Re: locking down snort Nasir Ghaznavi (Jun 28)
- Re: locking down snort Nelson Santos (Jun 28)
- <Possible follow-ups>
- Locking down Snort Carey Myers (Jun 28)
  - Re: Locking down Snort Nelson Santos (Jun 29)
- RE: locking down snort Andrew Shore (Jun 28)