Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Snort sensor location

  1. #1
    Junior Member
    Join Date
    Jan 2002
    Posts
    11

    Snort sensor location

    I have had Snort running for some time now with the switch ports to my web and e-mail server mirrored to the port Snort is connected to. This seems to be working fine but I am now wondering if I should instead mirror the port that the router is connected to instead - I'd still be capturing the traffic to the web and mail servers - my fear is that I may be missing something.

    Comments?

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Dantel: Er.... Yeah, you are missing a lot of stuff.....<s>

    If those two machines are the only public machines then you are capturing all the inbound/outbound traffic from them. But, you are not seeing any of the outbound traffic from your other machines. Thus, if one of your users downloads malicious code that sets up an outbound connection that can be reversed, (there are many that will do this), then you will never know.

    I prefer to watch all the traffic in and out for signatures/scans/etc. Pop a hub between your final switch and the router and attach the sniffer there.... Then you get everything going in and out of your network.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    115
    having your snort on a mirror port is going to get just the internal traffic (R <-> L) from your switch. although you may use span port on your switch you need to sit is outside where your public ip leases are. i would recommend setting up a dmz zone and place your equipments there. also check out inline-snort.

    -w0rm3y

  4. #4
    I would think about doing this:

    1) I would think about replacing your DMZ switch with a hub, or at least spanning the port that leads to your DMZ router. If your DMZ is on its own VLAN, then you might want to see if you can port monitor the entire VLAN. Either way, your DMZ is you most vunerable point, so seeing all the traffic running on it is pretty much essential.

    2) Have at least three sensors. The first one should be sniffing all traffic before it enters your network. Put this on the WAN, right before the first packet filtering device. The second sensor should be watching all of your DMZ traffic. The third sensor should sit right after your last packet filtering device between your LAN and WAN. This will give you a good indication of 1) What attempts are made against your network. 2) What attempts make it past the first packet filtering device and onto your DMZ 3) What attempts make it past the last packet filtering device sitting between your LAN and WAN. You will also be able to monitor suspicious outgoing traffic from your LAN.

    3) All your sensors can run on the same multihomed box, so make sure you have at least 4 interfaces. The first three interfaces, the interfaces that will do the monitoring, should sit on your WAN, DMZ and LAN, but should have no IP address bound to them at all. They should only listen (sniff). Both snort and tcpdump can be run on an interface without giving it an ipv4 address. This will help against having your monitor found and exploited itself. The forth interface should be on your LAN and have an ip address. This interface will only be used to log into the sensor ansd administer it, but should not have an instance of your IDS on it.

    I've done the above a few times with snort and some old comps and hubs and have had pretty good results. If you have the resources, that would be my minimum setup.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I don't fully understand how the "mirroring" mechanism works on these switches - does it mirror traffic in both directions?

    If it does, then if you mirror the router's port, that would be ideal, as you would see all traffic coming in and out (some snort rules match outgoing traffic)

    Otherwise I'd recommend getting a small hub, putting it between the switch and the router, and connecting an additional port to the snort box (which would have much the same effect)

    If your router is doing packet filtering (or there is a firewall additionally somewhere in front), it might be worthwhile putting a snort sensor as near to the outside as possible. You'll see more port scans that way certainly (although attacks on open stuff will be detected either way)

  6. #6
    Originally posted here by slarty
    I don't fully understand how the "mirroring" mechanism works on these switches - does it mirror traffic in both directions?
    Mirroring, monitoring or spanning (whatever you want to call it) simply copies all traffic destined to one port to an additional (or monitoring) port. So if you span your FastEthernet switch ports 0/18 and 0/19 back to port 0/1, then port 0/1 will recieve a copy of everything that is sent to port 0/18 and 0/19.

  7. #7

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    I`d be careful when placing a snort sensor outside your external router as that will generate a lot of traffic until you really tigthen up the sginatures. However some people do find this useful as they would like to know what is being sent to them regardless of whether or not it actually gets into their network. Personally I question the usefulness of placing a sensor out there unless you want to collect statistics to scare someone.

    Definately have one in your DMZ, as this is traffic that is now in your network, and try and place one in the internal LAN. if you have any other network segments (such as a further secured segment for your servers) then place one in there too.

    I would advise against placing all the sensors on one box for two reasons:
    i) This creates a single point of failure in your IDS, loose that box and you loose your IDS
    ii) There could be a huge amount of traffic needing to be analysed by that box which may bog it down a little.
    Quis custodiet ipsos custodes

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Originally posted here by tolstoy


    Mirroring, monitoring or spanning (whatever you want to call it) simply copies all traffic destined to one port to an additional (or monitoring) port. So if you span your FastEthernet switch ports 0/18 and 0/19 back to port 0/1, then port 0/1 will recieve a copy of everything that is sent to port 0/18 and 0/19.
    I'm still not sure if that answers my question:

    If port 1 receives a copy of everything that is sent to ports 18 or 19, then it doesn't necessarily get everything that's sent *from* ports 18, 19, only *to* them?

    If so, then it would ruin snort's chance, as it would only see outgoing packets (from the switch *to* the router) not incoming ones (from the router *to* the switch)

  10. #10
    Originally posted here by R0n1n
    I`d be careful when placing a snort sensor outside your external router as that will generate a lot of traffic until you really tigthen up the sginatures. However some people do find this useful as they would like to know what is being sent to them regardless of whether or not it actually gets into their network. Personally I question the usefulness of placing a sensor out there unless you want to collect statistics to scare someone.

    Definately have one in your DMZ, as this is traffic that is now in your network, and try and place one in the internal LAN. if you have any other network segments (such as a further secured segment for your servers) then place one in there too.

    I would advise against placing all the sensors on one box for two reasons:
    i) This creates a single point of failure in your IDS, loose that box and you loose your IDS
    ii) There could be a huge amount of traffic needing to be analysed by that box which may bog it down a little.

    To disagree with myself, and agree with Ronin, if you have the money, multiple sensors on multiple boxes is definately the way to go. Also, depending on the amount of traffic on your LAN/WAN, one box may become bogged down, so size your boxes accordingly. If you find yourself with a too much traffic bogging down your sensor, maybe think about logging to snort to barnyard, then using barnyard to output your alrets.

    As for a sensor on the WAN, I used to think it was a bad idea too as it creates a ton of alerts. I also used to think "If these alerts don't make it to the LAN or DMZ, and I'm not going to prosecute anyone or contact abuse@myisp.com, why even bother. However, once I started watching this traffic, I feel a little blind without it. Just a matter of habit, taste and time really.

    Originally posted here by slarty


    I'm still not sure if that answers my question:

    If port 1 receives a copy of everything that is sent to ports 18 or 19, then it doesn't necessarily get everything that's sent *from* ports 18, 19, only *to* them?

    If so, then it would ruin snort's chance, as it would only see outgoing packets (from the switch *to* the router) not incoming ones (from the router *to* the switch)
    AFAIK, port one will see everything going through those ports, both sent and recieved.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •