Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Locking down Snort

From: "Carey Myers" <cmlist170 () hotmail com>
Date: Fri, 25 Jun 2004 16:04:31 -0800
Jose,
You didn't say whether you are using windows or linux Snort. I will assume when you said IPtables you were referring to *nix, although it does not really change my response. I am also making assumptions that you are now seeing network traffic that would be ignored unless your sniffer NIC was properly set in promiscuous mode, thus indicating successful snort configuration and function.
Someone else may speak up with a more in-depth knowledge than myself, but consider this:
As I understand it, a network interface ignores packets not associated with an address it is supposed to answer for UNLESS it is set in promiscuous mode (aside from broadcast messages but that's another matter). This would indicate to me that whatever raw driver is doing the sniffing for Snort (*nix and windows both) sees the packets BEFORE the standard OS IP stack gets it--at least for traffic not destined for the ip the card answers for. Otherwise the traffic not bound for the sniffing interface would be dropped before it gets analyzed by snort, yes?
I have successfully removed and 'disabled' an interface with regards to TCP/IP in both *nix and windows and still had them sniff properly using snort. In fact, I have placed an unpatched windows 2000 snort box (stand-alone, I'm not crazy!) on the outside of my firewall with no antivirus whatsoever and NO IP associated with it and it withstood Blaster and various other IP-based worms and even professional penetration testing without incident, indicating to me that the OS IP stack is not associated at all (or ENOUGH anyway) with the sniffing done for Snort. I still use a windows snort box with IPSEC authentication only to my desktop machine inside my firewall to give me a better profile on my network. It refuses all connections from any other ip and even mine without the correct seed phrase set up in IPSEC. (Certificates would be better, but I haven't gotten around to that.) The box still sniffs traffic as desired.
I humbly accept any corrections the group may have for incorrect or misleading statements. I am speaking from observation only: not from an in-depth knowledge of how (libpcap, winpcap?) drivers are used to put a NIC in promiscuous node or in what order with respect to an operating system's own stack. 

Hope this helps,

Carey

Jose Guevarra asked,

- if I blocked those ports from the outside world would I still detect say a
port scan on those ports?

- Who captures the packets first: Firewall(IPTABLES) or SNORT?

_________________________________________________________________
MSN Movies - Trailers, showtimes, DVD's, and the latest news from Hollywood! http://movies.msn.click-url.com/go/onm00200509ave/direct/01/ 


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: