setting up an IDS..
Results 1 to 8 of 8

Thread: setting up an IDS..

  1. #1
    Member
    Join Date
    Oct 2006
    Posts
    63

    setting up an IDS..

    I was thinking on setting up snort on one of my boxes, but I have a question since in a switch lan I'll be only capturing data in and out of my box only, what's the right way of setting up snort so it captures data in and out of my three servers, without having to put a hub in the middle.........

    thanks in advance.

  2. #2
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    144
    It depends on the switch you are using, if it's a managed switch look into port spanning/mirroring
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  3. #3
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    Most dont support that unless they are really high end. You can always use ARP Cache poisioning.

  4. #4
    Member
    Join Date
    Oct 2006
    Posts
    63
    Quote Originally Posted by oofki
    Most dont support that unless they are really high end. You can always use ARP Cache poisioning.
    when I usually want to capture data from a computer in my network that's what I do....but I dont want to leave it running for too long, I may DOS my target machine, because the machine doing the routing or (MITM ATTACK) is just a desktop and not capable of handling big amounts of data.........correct me if I'm wrong

    thanks

  5. #5
    Senior Member wolfman1984's Avatar
    Join Date
    Aug 2007
    Location
    fangtastic.org
    Posts
    191
    The Wolfman doesn't know if this will suit your cool cat requirements, but perhaps putting a network tap in your DMZ to capture all traffic coming in and out your network?

    For example:

    Internet
    |
    TAP/Snort
    |
    Router
    |
    Server 1 Server 2 Server 3
    I AM... THE WOLFMAN!!
    The Wolfman's Homepage: http://www.fangtastic.org
    Do you dig the Wolfman?? Sign his Ghoulbook or listen to him Howl

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    If your goal is to see traffic in/out of your network, you can use some proxy/vpn/firewall/ids all in one like IPCOP. It has snort built right into it and it runs on pretty low hardware. http://ipcop.org Keep in mind, if you do it this way, you're only going to be inspecting traffic to/from the internet. Not ALL traffic on the LAN.

    If you want to capture traffic on your LAN, you'll have to use either the HUB or a port spanning switch. Either way, either physically or logically, you have to put some device between them to capture the traffic betwen them. It's just the rules of networking. Arp spoofing would work for lower end switches, but the higher end swiches have protection against this. I would not use this approach long term or in production for the reason you've already mentioned.

    Be careful which IDS you use and how much resources you have to spare. I just built a snort 2.7.0.1 box to monitor a 100MB connection with Dual Core AMD 64bit processors, 2gigs of DDR2 PC5300 (667mhz) RAM, Hardened (high secure worksation security policy, disabled all unused services, hardened whatever left over services I could) XP Pro 64bit 2003, mysql, IIS6 (w/SSL).

    Snort is using 1.6gigs of memory when starting up and levels off to around 1.5gigs. The commit charge of the box is around 2gigs... so I'm using almost ALL physical memory available and falling back on the pagefile. Not ideal for an IDS... especially since I only have one 7200RPM SATAII HD in there for OS, pagefile, programs, sql database and IIS. I should have two HDs or even three. I'll have to bump the memory even more and look at into getting a second HD to increase read/write performance of the database and IIS. However, at this time... it's not dropping packets and it's in a testing environment.

    I just finally moved away from the 2.4.x line. The 2.4.x line didn't use nearly as much memory...
    Last edited by phishphreek; September 5th, 2007 at 06:38 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Taps are the way to go, if you can afford em.

    I've also tried dumb things like using a box as a router and snort on that box, created a bridge from a linux box and run snort on it.

    Hub are cheap and easy, but Taps are great if your budget will allow it.

    Port mirroring is nice, some switch will actually dump off pcap info that you can run thru snort as well. I don't have access to a Catalyst to check on it, but Nortel Passports have the option for sure.
    Last edited by caveman8fb; September 5th, 2007 at 06:53 PM.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Cisco switches (CatOS and IOS) have this option too. It's called a SPAN (Switched Port ANalyzer) port.

    http://www.cisco.com/warp/public/473/41.html
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Similar Threads

  1. Apache, PHP, MySQL with basic security settings.
    By nightcat in forum The Security Tutorials Forum
    Replies: 9
    Last Post: May 28th, 2005, 02:47 AM
  2. Setting up an FTP server on SUSE Linux 9.1 Professional
    By gore in forum Other Tutorials Forum
    Replies: 0
    Last Post: October 11th, 2004, 07:07 PM
  3. Linux trash bin
    By allenb1963 in forum *nix Security Discussions
    Replies: 1
    Last Post: July 30th, 2003, 05:09 AM
  4. Award BIOS Setting...
    By JohnHACK in forum AntiOnline's General Chit Chat
    Replies: 2
    Last Post: June 7th, 2003, 04:09 AM
  5. Award BIOS Setting...
    By JohnHACK in forum Miscellaneous Security Discussions
    Replies: 8
    Last Post: June 6th, 2003, 05:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides