![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: deployment advice
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Wed, 24 Sep 2003 17:11:57 +0200
Hi, Daniel de Young wrote:
okay, i'm in the planning stages of a new snort box and could use some feedback/suggestions. here is the setup (low volume network)...
[...]
from the caswell + et al book and faq i gather the following: 1. in order to monitor multiple interfaces, i'll need to do one of the following: A. run multiple instances of snort B. use a bridge interface C. use a snort patch that allows me to specify "any" for interface
AFAIK if you use Linux no special patch is needed. Don't know about other OSes. Anyway, running capturing processes (tcpdump or Snort) with the any parameter is not a good idea. 1. All traffic will be copied to all processes - even loopback 2. The socket manpage is claiming that promiscous mode is not working ... anything else known? man pcap: ######### pcap_open_live() is used to obtain a packet capture descriptor to look at packets on the network. device is a string that specifies the network device to open; on Linux systems with 2.2 or later kernels, a device argument of "any" or NULL can be used to capture packets from all interfaces. snaplen specifies the maximum number of bytes to capture. promisc specifies if the interface is to be put into promiscuous mode. (Note that even if this parameter is false, the interface could well be in promiscuous mode for some other reason.) For now, this doesn't work on the "any" device; if an argument of "any" or NULL is supplied, the promisc flag is ignored. ########## AFAIK if you're running several instances you'll have to set the promiscous mode for each NIC manually. I think I've read that a few days ago. See some older postings on that. Also some conflicts with the PID files may occure - beware.
2. if i'm not running multiple instances i'll need to specify something like the following: var HOME_NET [10.10.10.0/24,192.168.1.0/24,etc] preprocessor portscan: 0.0.0.0/0 5 60 /var/log/snort/portscan.log preprocessor portscan-ignorehosts: 10.10.10.0/24 192.168.1.0/24 etc my questions are: 1. what are your suggestions for os (no holy wars!)? normally i run openbsd, but i'll need smp this time. i figure my choices are solaris, netbsd, linux. i gather that my next question may have sway on the answer since some methods are os dependent.
Today there has been a posting in the tcpdump mailinglist claiming that solaris' capturing performance is excellent. I'm using Linux with the Phill Woods libpcap in a 100Mbit Network. Having some 100 rules for HTTP I have no packet drops. That's fine.
2. i'd like for each segment's data to be logged/stored separately for easy analysis from the database. which method of running multi-if lends itself best to this goal? would it be multiple instances?
Use barnyard and define your sensors appropriately. That shouldn't be very difficult.
3. any other suggestions based on what you see? thanks, -daniel
Regards, Edin -- Edin Dizdarevic ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- deployment advice Daniel de Young (Sep 23)
- Re: deployment advice Edin Dizdarevic (Sep 24)