Snort mailing list archives
The littlest snort box... [a bit long...]
From: Jason Costomiris <jcostom () jasons org>
Date: Fri, 29 Mar 2002 09:43:48 -0500
So he other day, I put on my mad scientist hat. My mission? Figure out something useful to do with an Intrusion PDS 2315. For those who don't know, Intrusion a (slowly) failing firewall/ids appliance vendor. The PDS 2315 is actually a really cool unit. It's 8.5"W x 11"D x 1.75"H -- about the size of a good book. It's based on an Intel Celeron-II/600 (the Cu-mine core), with 128 MB of RAM, and 3 SiS900-based 10/100 Ethernets. Storage-wise, it's got a 10G IBM Travelstar (2.5") drive. When I got the box, it was a running a customized RH 7.0 setup, including a 2.2 kernel with ReiserFS filesystems. OS config was done with a hacked up, customized Webmin. No keyboard port, just a serial port on the back that's not even used in the default config! It had an older release of Check Point VPN-1 loaded on it when I got it. This box is neato and all, but it definitely lacks the muscle to run Check Point NG, so VPN-1 was immediately thrown out the window... I could run iptables on it, but I've already got enough firewalls here :-). That left me with DHCP/DNS/Samba/MRTG or Snort. A few months ago I had to take my sensor down, so I thought it would be nice to get a sensor back. Installation of RH 7.2 was a snap. I pulled the hard drive out and swapped it into a Dell Lattitude CPi notebook. Did a quick X-less installation of RH 7.2, pre-configured mgetty/inittab to listen to /dev/ttyS0 and added "console=ttyS0,38400n8" to the end of the "kernel" line in the /boot/grub/grub.conf file. Slap the drive back into the PDS 2315 and time to rock and roll. When it first boots, kudzu finds the 3 Ethernets and offers to set them up for you. I prefer to manaully hack on the /etc/sysconfig/network-scripts/ifcfg-eth* files myself, so I pass on the address configs. The interfaces turned out to be a bit peculiar on the PDS 2315. I suspect something in the PCI code that changed between the 2.2 and 2.4 kernels made the ports show up in reversed order on the 2.4 kernel. So, the lights on the front, linux, and the markings on the back match up like this: E1 (which is eth0) plugs into the port on the back marked E3 E2 (which is eth1) plugs into the port on the back marked E2 E3 (which is eth2) plugs into the port on the back marked E1 Ok, it's a little wonky, but hey, I'm not the engineer who put this thing together, I'm just the guy making something useful out of it! My next move - install apt from http://apt-rpm.tuxfamily.org/. Update my packages, install the mysql libs, etc. Run off to snort.org, and grab the RPMs for libnet, snort and snort-mysql+flexresp. Install them and create some customized configs. Hack a bit on the ifcfg-eth* files and the /etc/init.d/snortd script. Bottom line? I've got two sensors running on this box, one on the outside of my firewall (eth0 - comcast cable-land) and one on my WLAN segment (eth1), which of course, is firewalled off from the wired LAN in my house! The piggies squeal wonderfully and are shooting their alerts to a mysql db on another machine on the LAN, where eth2 is connected. So, in about an hour, I've got two sensors running on stealthed interfaces, and one live interface on the trusted network, snorting away, reporting to mysql in a package smaller than most notebooks. Not bad for a box that would have probably wound up as a bookend, eh? Oh yeah, load avg? I'm lucky if it goes over 0.1. :-) -- Jason Costomiris <>< | Technologist, geek, human. jcostom {at} jasons {dot} org | http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. My account, My opinions. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- The littlest snort box... [a bit long...] Jason Costomiris (Mar 29)