Re: Basics of setting up an inline snort installation

[Dave Kelly <bigdavekelly () googlemail com>]

Thanks Lynemose and Russ, hopefully that'll be enough to get me going.

I'd tried googling snort inline and have read the manual but couldn't
quite make it work in my head.  It's clicked, talking about bridging.
I'll be playing with that now, and I'm sure I'll be back with more
questions :-)

On Thu, Feb 9, 2012 at 6:54 PM, Heine Lysemose <lysemose () gmail com> wrote:
> Here's my input...
>
> Test Snort with this command
> /usr/local/snort/bin/snort --daq afpacket -Q -c
> /usr/local/snort/etc/snort.conf -i eth1:eth2 --daq-dir /usr/local/lib/daq
>
> If you like to run it as a daemon add -D to the line above.
>
> Configure the network interfaces eth0, eth1 and eth2. Interface eth0,
> management interface, will have a static IP address on our internal LAN and
> eth1 and eth2 will be setup in promiscuous mode.
>
> Edit /etc/network/interfaces
>
> auto eth0
> iface eth0 inet static
> address 192.168.1.10
> netmask 255.255.255.0
> gateway 192.168.1.1
>
> auto eth1
> iface eth1 inet manual
> up ifconfig eth1 0.0.0.0 up
> up ip link set eth1 promisc on
>
> auto eth2
> iface eth2 inet manual
> up ifconfig eth2 0.0.0.0 up
> up ip link set eth2 promisc on
>
> Also try looking at this site from
> SecurityOnion, http://code.google.com/p/security-onion/wiki/NetworkConfiguration
>
> /Lysemose
>
> On Thu, Feb 9, 2012 at 7:43 PM, PS <packetstack () gmail com> wrote:
> > If I have three interfaces, wan (eth0), lan1(eth1), and lan2 (eth2), could
> > I specify an interface pair of eth0:eth1::eth0:eth2 or do both pairs need to
> > have unique interfaces?
> >
> > On Feb 9, 2012, at 1:22 PM, Russ Combs <rcombs () sourcefire com> wrote:
> >
> >
> >
> > On Thu, Feb 9, 2012 at 1:11 PM, PS <packetstack () gmail com> wrote:
> > > When I first setup snort inline I only had two interfaces. One being my
> > > wan interface (eth0) and the other the LAN interface (eth1). I am able to
> > > run inline with just those two interfaces, but it is not recommended. Both
> > > are set to promiscuous mode. So it can be done with two if you really need
> > > to. Both interfaces have IP addresses.
> > >
> > > As for them needing IP addresses, I am not sure how it could be inline
> > > without IP addresses. How would traffic be routed?
> >
> >
> > Inline operation doesn't require IP addresses on the non-management port
> > and it is probably better that they don't have IP addresses.  In inline mode
> > you are just a "bump in the wire", and not routable apart from the
> > management port.
> > > Again, it's best if you have a third interface for management.
> > >
> > >
> > > On Feb 9, 2012, at 12:29 PM, Dave Kelly <bigdavekelly () googlemail com>
> > > wrote:
> > >
> > > > Thanks, that might make a bit more sense!  So the two interfaces that
> > > > are bridging don't need IP addresses?  I haven't seen a guide to
> > > > setting this up anywhere, do you know of one?
> > > >
> > > > Dave.
> > > >
> > > > On Thu, Feb 9, 2012 at 4:21 PM, Heine Lysemose <lysemose () gmail com>
> > > > wrote:
> > > > > Hi,
> > > > >
> > > > > To setup Snort as inline you need 3 network interface and pass your
> > > > > traffic
> > > > > through a bridge between 2 of the interfaces and a 3. for
> > > > > administration.
> > > > > You can start Snort with -Q to enable inline.
> > > > >
> > > > > /Lysemose
> > > > >
> > > > > On Feb 9, 2012 4:23 PM, "Dave Kelly" <bigdavekelly () googlemail com>
> > > > > wrote:
> > > > > > Hello,
> > > > > >
> > > > > > I'm going to try setting up a new inline configuration, I've only
> > > > > > tried passive before but would like Snort to be able to drop packets
> > > > > > it says are bad.  I'm trying to work out the IP addressing for it. At
> > > > > > the moment, I have all my machines in 192.168.1.0/24 with a router at
> > > > > > 192.168.1.1 and a mirrored port on the switch sending all traffic to
> > > > > > snort.
> > > > > >
> > > > > > It's pretty similar to the Ubuntu getting started guide in the docs
> > > > > > ("Snort 2.9.2.0 on Ubuntu 10.04 LTS").
> > > > > >
> > > > > > I think that to move snort to inline I'm going to need to give it a
> > > > > > proper IP address and have the traffic pass through it but I can't
> > > > > > quite work out how to do that without reconfiguring all the hosts to
> > > > > > have new gateway addresses etc.  Any hints to get me going would be
> > > > > > much appreciated.
> > > > > >
> > > > > > Dave.
> > > > > >
> > > > > >
> > > > > >
> > > > > > ------------------------------------------------------------------------------
> > > > > > Virtualization & Cloud Management Using Capacity Planning
> > > > > > Cloud computing makes use of virtualization - but cloud computing
> > > > > > also focuses on allowing computing to be delivered as a service.
> > > > > > http://www.accelacomm.com/jaw/sfnl/114/51521223/
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users () lists sourceforge net
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > Snort-users list archive:
> > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > >
> > > > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > > > Snort
> > > > > > news!
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Virtualization & Cloud Management Using Capacity Planning
> > > > Cloud computing makes use of virtualization - but cloud computing
> > > > also focuses on allowing computing to be delivered as a service.
> > > > http://www.accelacomm.com/jaw/sfnl/114/51521223/
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Virtualization & Cloud Management Using Capacity Planning
> > > Cloud computing makes use of virtualization - but cloud computing
> > > also focuses on allowing computing to be delivered as a service.
> > > http://www.accelacomm.com/jaw/sfnl/114/51521223/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Virtualization & Cloud Management Using Capacity Planning
> > Cloud computing makes use of virtualization - but cloud computing
> > also focuses on allowing computing to be delivered as a service.
> > http://www.accelacomm.com/jaw/sfnl/114/51521223/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
>
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!