Snort mailing list archives
Re: Best Practices for external sensors
From: "M. Morgan" <mikemorgan () mindspring com>
Date: Thu, 17 Jun 2004 15:35:44 -0400 (GMT-04:00)
USe Open SSL for the encrypted transmission from snortcenter to mysql: http://users.pandora.be/larc/download If you want to have a snort node sniffing outside the LAN and still have it pipe results back to the mysql database you can set your sniffing NIC to 0.0.0.0 and 255.255.255.255, additionally, you'll need to set a "DROP if incoming interface is eth0" rule in iptables so eth0 (the sniffed NIC) will discard any unsolicated traffic. Use tcpdump <sniffed NIC> to check the NIC and be sure it is still sniffing traffic on the hostile segment. If the snort node has multiple NIC's edit the routing table (man route) to remove the defualt route from the sniffed NIC, the internal NIC (eth1?) should have the route needed to reach the internal LAN. The above methods will provide you with a NIC that is unresponsive to the hostile segment and does nothing but sniff, the other NIC (eth1) is used by the snort node to pipe results inbound with ssl. You may also be able to drop incoming traffic on that mirrored port via the switch settings as an added precaution. In addition, harden the sensor to the best of your ability via iptables, bastille or whatever makes you comfortable I have a distributed snort/mysql/snortcenter NID system running here, if you need additional input email be privately if you wish. Michael -----Original Message----- From: jonasb () alum rpi edu Sent: Jun 17, 2004 9:04 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Best Practices for external sensors I currently have a Snort infrastructure set up on my internal network with several sensors managed via SnortCenter, logging to a centralized MySQL DB. I am looking to deploy a sensor on our outside network (off of a mirrored port on a switch). There are several firewalls with outside interfaces on this switch. I'm trying to get an idea of the best/most secure way to funnel alerts/logs back into the network to our centralized logging server. I thought of some type of VPN tunnel inbound, but my concern is that if the sensor were to be compromised, there would be a direct path into the network. I obviously don't want to multi-home the sensor inside/outside. Is my best bet just to open up SQL connectivity from this external sensor to the inside DB on the firewall and stream the alerts that way? If so, does anybody know of a way of any type of wrapper that would encrypt these alerts? Thanks Brad ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Best Practices for external sensors jonasb (Jun 17)
- Re: Best Practices for external sensors Todd_Pratt (Jun 17)
- <Possible follow-ups>
- Re: Best Practices for external sensors M. Morgan (Jun 17)
- RE: Best Practices for external sensors Truax, Shawn (MBS) (Jun 18)