Re: Question about SNORT Sensor Placement

[Jeremy Hoel <jthoel () gmail com>]

Check your variables for home and external.  Since your snort box is
sniffing OUTSIDE your firewall, home is going to be your one IP that
the cable modem/firewall gets (assuming the firewall is doing NAT).
external should be everything else.  Does the cable modem act as a
router too?  is there a private network between it and the firewall or
is the firewall getting the outside address?  Does that change often
so that it's going to be hard to know what it is?

Having it on the inside vs the outside is a matter of what you can
see/control and ease of use.  if someone scans you all day long, do
you want to see all those even though they are not getting through the
firewall?



On Tue, Dec 31, 2013 at 6:45 PM,  <bk6662 () cox net> wrote:
> Hello group,
>
> I know that you receive lots of questions on this topic.  But I think I
> have followed at least most of the suggestions, and have narrowed down
> to possibly a problem with the RULE set that I am using.  I recently
> installed Ubuntu and SNORT, following David Gullett's installation
> guide.    Everything appears to be working - except.....
>
> I designed my network exactly as described in the diagram of that guide.
> My ISP cable modem connects to a router, which connects to a switch
> (with a mirrored port).  My firewall is connected to this same switch;
> other end of the firewall connects my internal LAN.
>
> The SNORT sensor is in the receiver port of the mirrored switch.  I have
> (using WireShark) verified that this port is seeing *all* traffic coming
> and going to my internal network.  But I'm not getting any SNORT alerts.
> This even after I ran complete NMAP scans of my network, both from
> within the internal LAN, and also from the segment where the SNORT
> sensor is located.  It seems that these scans should be generating
> thousands of alerts.
>
> In order to make sure the installation is working I briefly implemented
> a local rule to alert on *all* traffic.  It generated about 5,000 hits
> within less than a minute.  So I think it's working properly.  I'm
> guessing the issue is with my rules?
>
> Please let me know how I can troubleshoot this issue, to determine where
> the problem lies.  I'll be the first to admit I'm new to SNORT.
>
> Thank you!
> Brian
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!