Snort mailing list archives
AW: Help with where to place a Snort sensor! -newbi e questions-
From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Wed, 19 Jun 2002 12:45:31 +0200
Hi Daniel
Hello! I guess you will find the following questions are basic but I do not have so much professional background and practical work in network field.
You'll get it quite soon when working with snort ;)
I was reading the paper from Jon Bull "Snort's Place in a Windows 2000 Environment". He says: " [ Internet ] -------(1) ------- [ Router ] -------(2) ------- [ LAN ] (Fig 1) On a simple LAN with no DMZ (see figure 1) there are two optimal places to locate your sensor, between the router and the Internet, and between the router and LAN. The first configuration, denoted with a (1), will detect all attacks against the network, but will not show you which attacks actually get through the router and into the LAN. The second configuration, denoted with a (2), will show you which attacks enter the LAN." I suppose that between the router and the LAN (constituted by some computers for instance), there is a hub or a switch. Thus, if I want to place my IDS in location 2, I can run Snort in a Linux box, with the interface set up in promiscuous mode and stealth mode and connected to the SPAN port of the switch or one port of the hub, is it right?
In general yes. If the hub supports 10/100 Mb/s then you'll have 2 hubs in one which means that if the snort box is using 100Mb/s and the router only 10 you won't see anything except broadcasts.
And then, like this, with this configuration, I will be able to detect attacks coming from the outside but also, from the inside of the LAN and attacks between computers inside the LAN (still constituted by some computers and connected to a switch/hub that is in turn connected to the router), is it also right?
This depends on the setup. If you only have a small LAN on a single speed hub where the router is also connected you're right. But if there are more segments connected via routers in your LAN you only see traffic going through the internet router not internal LAN traffic. When your LAN is set up with switches you'll have some more issues: First if you only have one switch which is your LAN you'll have to make sure your snort box can handle all traffic generated by all boxes you wish to snort, that means if your internet router and your LAN boxes have all 100Mb/s connections and you want to span all ports (presuming your switch supports vlan mirroring) you will have to use a Gig port to make sure no packet is lost. This is true as long you're not having more than 10 100 Mb/s Half duplex or 5 100Mb/s Full Duplex connections (if you can make sure your LAN boxes don't sturate 100Mb/s then you can think of some more connections). If you're using VLANs spanned over more than 1 switch you'll have a much harder job. You then have to think carefully which information you are interested in and put the snort sensors accordingly into the LAN (I don't think you will be able to do this with a single snort sensor). I think snort can handle GB when the snort box and snort is highly tuned (not tested full GB speed yet).
However, if I want to place my IDS in location 1, how I could do that? Can I still use a Linux box with SNORT installed in it, with the interface set up in promiscuous mode and stealth mode and directly connected to the Internet and the other interface connected to the router?
First question: Are you really interested in getting all that portscan, code red, nimda stuff in your logs which might be filtered by your router (supposed there is some kind of filtering or firewall set up)? If you are then you could use a so-called tap (passive) which splits the network cable into two streams (one receive/one transmit stream for a full duplex connection) which in turn can then be connected to two interfaces in your snort box. This setup requires channel bonding to reassemble on your snort box which works very well (see http://sourceforge.net/projects/bonding). Or you could set up a so-called Gateway-IDS which is put between the internet and the router, but I wouldn't recommend that because of 1) single point of failure (if a tap fails snort doesn't see anything more but the connection router-internet is still working) 2) your snort box is exposed to the internet and could be hacked eventually
How I could manage my IDS then?
Use a third interface and put it into your internal LAN while the two interfaces connected to the tap are configured to be stealth interfaces and the tap can only read data but there's no way to send data via a tap, therefor your snort box won't be visible outside. One other thing to remember is: Alarming/Reporting. When dealing with more than one sensor think of centralizing alarming and reporting to a dedicated box so you don't get performance issues on the snort box itself.
Thank you very much for your help! :)
Well, I hope this helped ;) Ciao, Sandro ---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: Help with where to place a Snort sensor! -newbi e questions- Poppi, Sandro (Jun 19)
- Snort performance (was Re: Help with where to place ...) Bennett Todd (Jun 24)
- RE: Snort performance (was Re: Help with where to place ...) Ashley Thomas (Jun 24)
- Snort performance (was Re: Help with where to place ...) Bennett Todd (Jun 24)