Snort mailing list archives
RE: Monitoring multiple devices with SNORT
From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Fri, 9 Apr 2004 12:25:54 -0400
I would first check to make sure you don't have a switching HUB. I made that mistake once myself. Sometimes its hard to tell. If you post the brand name and model someone here should be able to tell you. Second I would reconfigure your Snort setup to look like this. Internet ------ hub ---- firewall ------ LAN | | (Monitor Interface) (Mang. Interface) | | SNORT----------------------- By putting the Sniffer interface on the HUB and a Management interface behind the firewall it allows snort to become virtually invisible to the outside world and reduces the chances of you getting compromised. (Don't assign an IP to the monitor Interface.) You can create special firewall rules to only allow certain IP addresses to connect to the Snort from the outside as well if you want to be able to monitor from remote locations. One thing I would also suggest is putting a second sniffer interface (Total 3 Interfaces for whole solution) behind the firewall. The interface in front will give you lots of useful info, but its also going to give you everything coming at you. The firewall should be configured to block most of the noise off the internet. By having an interface behind the firewall you can see what gets through. You can also use both interfaces to monitor firewall policy enforcement. I do this by creating custom rules on snort to monitor some of the important firewall rules I have. For example if you block all incoming port 123 traffic, write a rule to watch for any external IPs getting through on port 123 and alarm you if that happens. Another neat little trick I like to do is set the outside (Internet side) monitor interface Home_Net as the entire internet and the External_Net as my network. By doing this you can have Snort monitor what is leaving your network and you can then watch for traffic that you don't want to exit your network. IE. FTP, SNMP, ect. I have seen too many mis-configured computers out there sending stuff out onto the internet because someone typoed an IP address during a config setup. Hope all that advice helps you. I kinda rambled on there. Shawn Truax Security Specialist Corporate Security 155 University Ave. Toronto, Ontario M5H 3B7 (416)327-1107 -----Original Message----- From: David Nardoni [mailto:dnardoni () firstresponseconsulting com] Sent: April 8, 2004 1:06 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Monitoring multiple devices with SNORT I want to monitor some traffic outside my firewall. Here is how I have things set up Internet ------ hub ---- firewall ------ LAN | | SNORT I am getting hits directly on the snort box and I am showing traffic coming out of the LAN but I do not appear to be showing the traffic coming from the internet to the firewall. Any suggestions on where to look for the problems. David Nardoni CISSP First Response Consulting Services, Inc. dnardoni () firstresponseconsulting com ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Monitoring multiple devices with SNORT David Nardoni (Apr 09)
- <Possible follow-ups>
- RE: Monitoring multiple devices with SNORT Truax, Shawn (MBS) (Apr 09)
- RE: Monitoring multiple devices with SNORT Harper, Patrick (Apr 12)