Snort mailing list archives
RE: Snort Setup Suggestions? *NEWBIE QUESTION*
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Mon, 12 Aug 2002 15:19:55 -0400
Some suggestions... There should be two network interfaces: One for the sensor, and one for management. The sensor interface will run un-addressed, so you don't have to worry about folks on the Internet firing exploits at that interface. The one on the LAN/WAN should be addressed, privately if possible. However, being a college environment, that may not be possible, so you'll want to use IPSec policy in conjunction with a simple border ACL to restrict access to that node from un-trusted networks (actually, all non-admin networks). As far as IIS is concerned, IIS is not much of a liability in and of itself. The liability is that folks who don't have a clue (or don't care) do not take the time to understand how it works, or the measures required to make it function in a safe manner. As long as you understand the threats and lock it down, you're just fine. Read the MS best practices, and make use of IIS Lockdown, URLScan, etc. Also use integrated authentication to the extent possible, and check all of your ACL's. In a nutshell, you're not at a total disadvantage using Win32. You have to go with what you know, right? Just apply some common sense, and sound network security practices in general, and it'll be fine. Cheers Keith -----Original Message----- From: Charles Hamby [mailto:fixer () gci net] Sent: Monday, August 12, 2002 1:10 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort Setup Suggestions? *NEWBIE QUESTION* I'm getting readying to helping the sysadmin from my college setup a Snort sensor (Win32), and I'd like to get some input... The network Snort's being installed on is non-firewalled (I know, I know, I've been arguing with him about this for a year, but to no avail) Win2k domain. Neither of us know enough about Linux to know with a Linux version, so I've decided on the win32 distro. They're using an entirely switched network, so since getting a tap would cost money (which they don't have), we're looking at setting up the Snort sensor at the network ingress point. The only problem I have is that doing so will require adding IIS in order to view the logs (can you say security hole?) unless the sysadmin wants to walk down to the comm. Closet several times a day to check the snort logs (doubtful). Does anyone know of another way around this (as you can tell, I'm really new to Snort). Thanks! -Charles ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Setup Suggestions? *NEWBIE QUESTION* Charles Hamby (Aug 12)
- Re: Snort Setup Suggestions? *NEWBIE QUESTION* Christopher Cook (Aug 12)
- <Possible follow-ups>
- RE: Snort Setup Suggestions? *NEWBIE QUESTION* McCammon, Keith (Aug 12)