Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] Snort on FTP server

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 22 Jan 2003 14:53:25 -0500
First, I'm moving this over to snort-users.. which is where it belongs. snort-sigs is for signature development related issues.
Second, sure, you can run snort on any pc at any point in your network. It all depends on what you want snort to monitor. The most common deployment monitors a whole network, thus snort is commonly installed at the gateway, but there's no reason it can't monitor a point inside the network.
Snort should see all the traffic present on the FTP server's nic, but because your DSL router's 3 ethernet ports are likely a switch, it will not be able to monitor attacks against any other machine in the network.
Also since the FTP server is NAT'ed by a typical DSL/cable router box, I highly doubt it will be probed on any ports other than ones which your router is manualy configured to forward to the FTP server. It's impossible for anyone outside to specifically address your FTP server, thus it should be impossible for me to probe a random subset of ports on your FTP box from the outside.
There is one major drawback of running it on the same machine, if the FTP server gets hacked, the attacker, if smart, can now blank your snort logs. 

At 06:24 PM 1/17/2003 +0100, Walter Pouwels wrote:

Hi to all.
I wonder if it is any use putting snort on a pc (win2k server) which is used as an FTP server ?
When reading through Snort doc's and such all I seem to read is snort being used on the actual router/gateway station, listening on the external interface. What I want to do is monitor any logon attempts at the ftp server for users without login/pw but also if the machine get's probed on any other ports. 

The network topology is as follows:

E-tech router
1x WAN ------ ADSL 1536 Kbps/256Kbps
4x LAN 10/100 Mbit

In the 4 LAN connections there are:

pc-1 end-user system IP 192.168.4.1
pc-2 end-user system IP 192.168.4.2
pc-3 FTP server IP 192.168.4.3
So is this possible to install snort on a machine with only 1 NIC and have it listen to the traffic on that NIC or should I place another pc between the FTP server and the router LAN port 
(giving: ftp-server ---- SNORT PC ----- router ---- ADSL)?

Thanks in advance.

Walter




-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: