RE: Monitoring multiple devices with SNORT

["Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>]

I would first check to make sure you don't have a switching HUB.  I made
that mistake once myself.  Sometimes its hard to tell.  If you post the
brand name and model someone here should be able to tell you.  Second I
would reconfigure your Snort setup to look like this.


Internet ------  hub ---- firewall ------ LAN
                        |                                |
                (Monitor Interface)     (Mang. Interface)
                        |                                |
                    SNORT-----------------------


By putting the Sniffer interface on the HUB and a Management interface
behind the firewall it allows snort to become virtually invisible to the
outside world and reduces the chances of you getting compromised. (Don't
assign an IP to the monitor Interface.)  You can create special firewall
rules to only allow certain IP addresses to connect to the Snort from the
outside as well if you want to be able to monitor from remote locations.

One thing I would also suggest is putting a second sniffer interface (Total
3 Interfaces for whole solution) behind the firewall.  The interface in
front will give you lots of useful info, but its also going to give you
everything coming at you.  The firewall should be configured to block most
of the noise off the internet.  By having an interface behind the firewall
you can see what gets through.  You can also use both interfaces to monitor
firewall policy enforcement.  I do this by creating custom rules on snort to
monitor some of the important firewall rules I have.  For example if you
block all incoming port 123 traffic, write a rule to watch for any external
IPs getting through on port 123 and alarm you if that happens.

Another neat little trick I like to do is set the outside (Internet side)
monitor interface Home_Net as the entire internet and the External_Net as my
network.  By doing this you can have Snort monitor what is leaving your
network and you can then watch for traffic that you don't want to exit your
network.  IE. FTP, SNMP, ect.  I have seen too many mis-configured computers
out there sending stuff out onto the internet because someone typoed an IP
address during a config setup.

Hope all that advice helps you. I kinda rambled on there.

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107




-----Original Message-----
From: David Nardoni [mailto:dnardoni () firstresponseconsulting com]
Sent: April 8, 2004 1:06 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Monitoring multiple devices with SNORT


I want to monitor some traffic outside my firewall.

Here is how I have things set up

Internet ------  hub ---- firewall ------ LAN
                        |
                        |
                    SNORT


I am getting hits directly on the snort box and I am showing traffic coming
out of the LAN but I do not appear to be showing the traffic coming from the
internet to the firewall.

Any suggestions on where to look for the problems.




David Nardoni CISSP
First Response Consulting Services, Inc.  
dnardoni () firstresponseconsulting com 




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users