Snort mailing list archives
Re: Multi-sensor setup
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 22 Jul 2009 20:40:40 -0400
I think I have a blog post about this. Blatant Plug. Let me see. Let me use my awesome new cut and paste functionality on my iPhone. http://www.joelesler.net/finshake/Blog/Entries/2009/3/6_Why_is_your_IDS_outside_your_Firewall.html Check that out. -- Sent from my iPhone On Jul 22, 2009, at 6:02 PM, "Scott Elgram" <SElgram () VerifPoint com> wrote:
As far as I know it will and right now I do have IPFW logging most of the denied connection attempts. What prompted this whole exercise is that a few managers had come to me with concern about their employee's internet usage during business hours. For the moment I have IPFW logging all the traffic from a few individuals of interest but it's not an ideal setup. It was then that I remembered the fun I had with snort and ACID many years ago and thought that it might be a more ideal way to monitor outbound traffic. So, sense I was building one for that I figured I would add an IDS back into the loop too. -Scott -----Original Message----- From: Milo Velimirovic [mailto:milov () uwlax edu] Sent: Wednesday, July 22, 2009 2:28 PM To: SElgram () VerifPoint com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Multi-sensor setup Instead of having a snort sensor to look at the trafic outside the firewall, how about having the firewall send syslog messages to a logging server. Your firewall will generate syslog, right? If you ratchet up the syslog level to warning or above you should see plenty. - M On Jul 22, 2009, at 4:13 PM, Scott Elgram wrote:I would like to see the traffic that is attempting to get through as well just so I know what sort of attacks or whatever is being attempted against my firewall. As far as I know everything is hunky dory and anything malicious isn't getting through but it's a bit like standing at the edge of a dark hole. Sure, I'm fine where I am now but I have no iea what's in the hole. -Scott -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, July 22, 2009 2:05 PM To: SElgram () VerifPoint com Cc: Richard Bejtlich; <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Multi-sensor setup Okay, I'll ask. Why do you want to compare traffic getting through? Just sniff behind the firewall and then you know what's getting through. -- Sent from my iPhone On Jul 22, 2009, at 3:13 PM, "Scott Elgram" <SElgram () VerifPoint com> wrote:Ideally I was thinking of attaching one interface just before my firewall on the internet side and the other just after the firewall on the internal network side. I'd like to be able to view both the traffic that is attempting to get through the firewall on both sides and by comparison see what traffic is making it through. I'm relatively new to snort so I'm not entirely sure if this is even a logical setup but I figured it was worth a try. -Scott -----Original Message----- From: Richard Bejtlich [mailto:taosecurity () gmail com] Sent: Wednesday, July 22, 2009 12:07 PM To: SElgram () verifpoint com; snort-users () lists sourceforge net Subject: Re: [Snort-users] Multi-sensor setup Hello, What do you expect to have xl0 and xl1 monitor? Richard On 7/22/09, Scott Elgram <SElgram () verifpoint com> wrote:Hello, I have recently completed a Snort install on FreeBSD but I'm unable to get it to do what I would like. I have 3 interface cards installed (fxp0, xl0, xl1) and my plan is to set up fxp0 with an IPaddressfor BASE and leave the other two as Snort sensors without IP addresses in "promisc -arp" mode. If I set snort_interface to either xl0 or xl1 Snort runs perfectly fineforthe assigned interface but not at all for the unassigned interface, obviously. After some digging I found some posts that stated I could accomplish my goal by bridging the two interfaces, which I have done with the following in my rc.conf file: ---------------------------------- cloned_interfaces="bridge0" ifconfig_bridge0="addm xl0 addm xl1 up" ifconfig_xl0="up promisc -arp" ifconfig_xl1="up promisc -arp" ---------------------------------- However, this still does not log consistent data for the two networks.Withsnort_interface set to xl0, I ping through the network connected to xl0andI get all the data, if I ping through the network connected to xl1 I only get two entries and then nothing after that.ever. I get the same result with snort_interface set to bridge0. Additionally, the 2 entries I do get from pinging through the xl1 network are logged as sensor xl0. Am I missing something, is this something snort can do? Thanks, -Scott--- --- --- --- ------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--- --- ---------------------------------------------------------------------- --_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Milo Velimirović, Unix Computer Network Administrator 608.785.6618 Office - 608.386.2817 Cell University of Wisconsin - La Crosse La Crosse, Wisconsin 54601 USA 43 48 48 N 91 13 53 W --- --- --- --------------------------------------------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Multi-sensor setup, (continued)
- Re: Multi-sensor setup Richard Bejtlich (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Joel Esler (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Chris Jacob (Jul 22)
- Re: Multi-sensor setup Jack Pepper (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Joel Esler (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Milo Velimirovic (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Joel Esler (Jul 22)
- Re: Multi-sensor setup William Young (Jul 24)
- Re: Multi-sensor setup Richard Bejtlich (Jul 22)