Snort mailing list archives

Re: Best Practices for external sensors

From: "M. Morgan" <mikemorgan () mindspring com>
Date: Thu, 17 Jun 2004 15:35:44 -0400 (GMT-04:00)

USe Open SSL for the encrypted transmission from snortcenter to mysql:
http://users.pandora.be/larc/download

 If you want to have a snort node sniffing outside the LAN and still have it pipe results back to the mysql database 
you can set your sniffing NIC to 0.0.0.0 and 255.255.255.255, additionally, you'll need to set a "DROP if incoming 
interface is eth0" rule in iptables so eth0 (the sniffed NIC) will discard any unsolicated traffic. Use tcpdump 
<sniffed NIC> to check the NIC and be sure it is still sniffing traffic on the hostile segment.

 If the snort node has multiple NIC's edit the routing table (man route) to remove the defualt route from the sniffed 
NIC, the internal NIC (eth1?) should have the route needed to reach the internal LAN.

The above methods will provide you with a NIC that is unresponsive to the hostile segment  and does nothing but sniff, 
the other NIC (eth1) is used by the snort node to pipe results inbound with ssl.

You may also be able to drop incoming traffic on that mirrored port via the switch settings as an added precaution.

In addition, harden the sensor to the best of your ability via iptables, bastille or whatever makes you comfortable

I have a distributed snort/mysql/snortcenter NID system running here, if you need additional input email be privately 
if you wish.

Michael





-----Original Message-----
From: jonasb () alum rpi edu
Sent: Jun 17, 2004 9:04 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Best Practices for external sensors

I currently have a Snort infrastructure set up on my internal network
with several sensors managed via SnortCenter, logging to a centralized
MySQL DB. I am looking to deploy a sensor on our outside network (off of
a mirrored port on a switch). There are several firewalls with outside
interfaces on this switch. 

I'm trying to get an idea of the best/most secure way to funnel
alerts/logs back into the network to our centralized logging server. I
thought of some type of VPN tunnel inbound, but my concern is that if
the sensor were to be compromised, there would be a direct path into the
network. I obviously don't want to multi-home the sensor inside/outside.
Is my best bet just to open up SQL connectivity from this external
sensor to the inside DB on the firewall and stream the alerts that way?
If so, does anybody know of a way of any type of wrapper that would
encrypt these alerts?

Thanks
Brad 



-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Best Practices for external sensors jonasb (Jun 17)
- Re: Best Practices for external sensors Todd_Pratt (Jun 17)
- <Possible follow-ups>
- Re: Best Practices for external sensors M. Morgan (Jun 17)
- RE: Best Practices for external sensors Truax, Shawn (MBS) (Jun 18)