Results 1 to 4 of 4

Thread: Snort

  1. #1
    Senior Member
    Join Date
    Dec 2002


    is it a must to install into Server? or any pc on the network? and where is the best place to install?

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Memphis, TN
    Well snort is a pretty decent packet sniffer for *nix. It also runs on windows now to.

    YOu don't have to have it on a server as there are other options out there, but snort is a free program.

    The best place to put snort would be on your gateway so that it can view all traffic.

    as far as the install, I don't remember where it installs, but I'm pretty sure it creates a couple files in /etc/var/log and /etc/var
    I don't remember exactly though.

  3. #3
    Senior Member
    Join Date
    Mar 2003
    As cheyenne1212 suggests, I would install snort on a host _on_, in front of, or inline with your gateway to
    the internet; this is where an IDS is going to be most effective as an early-warning tool.

    I personally like to use a VA Linux 2200 Fullon (plentiful on eBay), with OpenBSD and snort. I send all logs
    directly to tape over serial, and configure the box to send pages to my Advisor Elite text pager on anything
    that requires immediate attention. Of course there are _a_ton of possible configurations, just giving you an
    example of how I use it.

    Happy Holidays

    -- spurious
    Get OpenSolaris http://www.opensolaris.org/

  4. #4
    Senior Member
    Join Date
    Sep 2003
    i would put one on the inside and one on the outside of the network.

    also check out the snort FAQ they have a great explanation on this topic.

    2.5 Where's a good place to physically put a Snort sensor?

    This is going to be heavily influenced by your organizations policy, and what
    you want to detect. One way of looking at it is determining if you want to
    place it inside or outside your firewall. Placing an IDS outside of your
    firewall will allow you monitor all attacks directed at your network,
    regardless of whether or not they are stopped at the firewall. This almost
    certainly means that the IDS will pick up on more events than an IDS inside the
    firewall, and hence more logs will be generated. Place an IDS inside your
    firewall if you are only interested in monitoring traffic that your firewall
    let pass. If resources permit, it may be best to place one IDS outside and one
    IDS inside of your firewall. This way you can watch for everything directed at
    your network, and anything that made it's way in.


    Note: So this one still gets a lot of traffic even though it's in the FAQ. Erek
    Adams has noted this comprehensive and authoritative discussion of this
    perpetual discussion item - mildly edited, also see faq question about switches
    hubs and taps -dr

    If your router/switch can do port mirroring then just connecting a network IDS
    to it would be fine. Else a hub could be another option. Most of network IDS
    can have a NIC that acts as a passive sniffer anyway.

    As to where to place the sensor. I would go for both, one to monitor the
    external, one for the internal. I work in a distributor for security products,
    so over instrumentation is fun And in any case, if the traffic do not pass
    by the Sensor it will not get monitored. So some people deploy IDS on their
    internal segments too I believe.

    In ``front'' of the firewall(s):

    Pro: Higher state of alert you know what attacks you are facing.

    Con: Wall to Wall of data, boring? If your firewall has NAT turned on, tracking
    the sources originating from your internal network is difficult.

    ``Behind'' the firewall(s):

    Pro: Only what gets through the firewall gets monitored? Less load on the IDS
    analyst. You get to see what hosts are sending traffic to the internet.

    Con: Less idea of the state of the environment, false sense of safety.

    Where should IDS be placed relative to firewalls? Explore the pros and cons off
    placing IDS inside or outside firewall. What are the drawbacks of each?

    * MARCUS RANUM from NFR Security: "I'd put mine inside. Why should I care if
    someone is attacking the outside of my firewall? I care only if they
    succeed, which my IDS on the inside would ideally detect. Placing the IDS
    on the outside is going to quickly lull the administrator into complacency.
    I used to have a highly instrumented firewall that alerted me whenever
    someone attacked it. Two weeks later I was deleting its alert messages
    without reading them. Another important factor arguing for putting it
    inside is that not all intrusions come from the outside or the firewall. An
    IDS on the inside might detect new network links appearing, or attackers
    that got in via another avenue such as a dial-in bank.''
    * CURRY from IBM: ``The IDS should be placed where it will be able to see as
    much of the network traffic you're concerned about as possible. For
    example, if you're concerned about attacks from the Internet, it makes the
    most sense to put the IDS outside the firewall. the most sense to put the
    IDS outside the firewall. This gives it an "unobstructed" view of
    everything that's coming in. If you put the IDS inside the firewall, then
    you're not seeing all the traffic the bad guys are sending at you, and this
    may impact your ability to detect intrusions.''
    * SUTTERFIELD from Wheel Group: ``IDS ideally plays an important role both
    inside and outside a firewall. Outside a firewall, IDS watches legitimate
    traffic going to public machines such as e-mail and Web servers. More
    importantly IDS outside a firewall will see traffic that would typically be
    blocked by a firewall and would remain undetected by an internal system.
    This is especially important in detecting network sweeping which can be a
    first indication of attack. External systems will also give you the benefit
    of monitoring those services that firewalls determine are legitimate.
    Putting an IDS inside the firewall offers the added benefit of being able
    to watch traffic internal to the protected network. This adds an important
    element of protection against insider threats. The major drawback of IDS
    inside a firewall is that it cannot see a good deal of important traffic
    coming from untrusted networks and may fail to alert on obvious signals of
    an impending attack.''
    * CHRIS KLAUS from ISS: ``Outside the firewall is almost always a good
    idea-it protects the DMZ devices from attack and dedicates an additional
    processor to protecting the internal network. Just inside the firewall is
    also useful-it detects attempts to exploit the tunnels that exist through
    the firewall and provides an excellent source of data for how well your
    firewall is working. Throughout your intranet may be the best place for IDS
    deployment, however. Everyone agrees that attacks aren't the only things
    we're worried about-there's internal mischief, fraud, espionage, theft, and
    general network misuse. Intrusion detection systems are just as effective
    inside the network as outside, especially if they're unobtrusive and easy
    to deploy.''
    * GENE SPAFFORD: ``The IDS must be inside any firewalls to be able to detect
    insider abuse and certain kinds of attacks through the firewall. IDS
    outside the firewall may be useful if you want to monitor attacks on the
    firewall, and to sample traffic that the firewall doesn't let through.
    However, a true IDS system is likely to be wasted there unless you have
    some follow-through on what you see.''
    * Bottom Line:

    DRAGOS RUIU: ``just pick a spot you're likely to look at the logs for :-)''

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts