Snort mailing list archives

Re: Complex network + Multi-interface sensor = trouble

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 11 Dec 2001 12:12:19 -0800 (PST)

On Tue, 11 Dec 2001, Jeff Newton wrote:

I want to monitor multiple subnets (internet, DMZ, internal, etc) with a
single multi-interface sensor and have a few implementation questions:


Okie.

1)  Is it best/possible to run on all interfaces using a single
snort.conf?  My initial sensor test fired constantly on detected RPC
traffic and I imagine tuning this out, only on specific interfaces will
be a real challenge.


It is possible, but...  <see below>

2)  Can EXTERNAL_NET be defined as any not-equal-to HOME_NET?  I suspect
this isn't the default , which is why the RPC rule was firing on
HOME_NET to HOME_NET traffic - the rpc rule fires on any -> HOME_NET.


Yeppers....  Have it as:

var EXTERNAL_NET !$HOME_NET

Any other multi-interface sensor implementation help/suggestions would
be greatly appreciated.


You can run one single conf for multi interfaces, but I wouldn't (personally)
do that.  Consider what you are trying to watch for.  Keep in mind that you
want snort to run as fast as possible.  For example:

  DMZ1:  IIS <shudder>, SMTP, DNS
  DMZ2:  Apache, DNS, MySQL (customer data?)

Now, in DMZ1 you could care less about a MySQL attack, so why bother?  You
SURELY would want every rule regarding IIS in there, but why would you care
about Apache exploits, or even ICQ Webserver DOS?  Prune your rules for what's
going on in that DMZ....

DMZ2:  No IIS rules, no SMTP rules, etc...

Build 2 seperate .conf files, locate them in different home dirs, run 2
sensors or 2 instances on the same sensor, log to 2 different directories or
to a shared file system.

R/O Cable and/or taps highly suggested.

Backend NIC for administration.  IPF that nic so that only the admin station
can get to it, or a very specific set of machines.  Have OOB (out of band)
access to the box (just in case...)

Don't skimp on hardware.  :)  Lotsa fast disks and CPU.

Log to the backend, and use something like ACID/DeMarc/<roll your own> to
view/manage alerts.

<shameless plug>

And the best thing I can suggest:  http://www.sourcefire.com/sensor.html
;-)

</shameless plug>

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Complex network + Multi-interface sensor = trouble Jeff Newton (Dec 11)
- Re: Complex network + Multi-interface sensor = trouble Erek Adams (Dec 11)