The littlest snort box... [a bit long...]

[Jason Costomiris <jcostom () jasons org>]

So he other day, I put on my mad scientist hat.  My mission?  Figure out
something useful to do with an Intrusion PDS 2315.  For those who don't
know, Intrusion a (slowly) failing firewall/ids appliance vendor.  The
PDS 2315 is actually a really cool unit.  It's 8.5"W x 11"D x 1.75"H --
about the size of a good book.  It's based on an Intel Celeron-II/600
(the Cu-mine core), with 128 MB of RAM, and 3 SiS900-based 10/100 
Ethernets.  Storage-wise, it's got a 10G IBM Travelstar (2.5") drive.

When I got the box, it was a running a customized RH 7.0 setup, including
a 2.2 kernel with ReiserFS filesystems.  OS config was done with a hacked
up, customized Webmin.  No keyboard port, just a serial port on the back
that's not even used in the default config!  It had an older release of
Check Point VPN-1 loaded on it when I got it.  This box is neato and all,
but it definitely lacks the muscle to run Check Point NG, so VPN-1 was
immediately thrown out the window...  I could run iptables on it, but I've
already got enough firewalls here :-). That left me with DHCP/DNS/Samba/MRTG
or Snort.  A few months ago I had to take my sensor down, so I thought it
would be nice to get a sensor back.

Installation of RH 7.2 was a snap.  I pulled the hard drive out and swapped
it into a Dell Lattitude CPi notebook.  Did a quick X-less installation
of RH 7.2, pre-configured mgetty/inittab to listen to /dev/ttyS0 and 
added "console=ttyS0,38400n8" to the end of the "kernel" line in the 
/boot/grub/grub.conf file.  Slap the drive back into the PDS 2315 and 
time to rock and roll.  When it first boots, kudzu finds the 3 Ethernets
and offers to set them up for you.  I prefer to manaully hack on the
/etc/sysconfig/network-scripts/ifcfg-eth* files myself, so I pass on the 
address configs.  The interfaces turned out to be a bit peculiar on
the PDS 2315.  I suspect something in the PCI code that changed between
the 2.2 and 2.4 kernels made the ports show up in reversed order on
the 2.4 kernel.  So, the lights on the front, linux, and the markings on
the back match up like this:

E1 (which is eth0) plugs into the port on the back marked E3
E2 (which is eth1) plugs into the port on the back marked E2
E3 (which is eth2) plugs into the port on the back marked E1

Ok, it's a little wonky, but hey, I'm not the engineer who put this 
thing together, I'm just the guy making something useful out of it!

My next move - install apt from http://apt-rpm.tuxfamily.org/.  Update
my packages, install the mysql libs, etc.  Run off to snort.org, and
grab the RPMs for libnet, snort and snort-mysql+flexresp.  Install them
and create some customized configs.  Hack a bit on the ifcfg-eth* files
and the /etc/init.d/snortd script.  Bottom line?  I've got two sensors
running on this box, one on the outside of my firewall (eth0 - comcast
cable-land) and one on my WLAN segment (eth1), which of course, is 
firewalled off from the wired LAN in my house!  The piggies squeal 
wonderfully and are shooting their alerts to a mysql db on another 
machine on the LAN, where eth2 is connected.

So, in about an hour, I've got two sensors running on stealthed interfaces,
and one live interface on the trusted network, snorting away, reporting to
mysql in a package smaller than most notebooks.  Not bad for a box that 
would have probably wound up as a bookend, eh?  Oh yeah, load avg?  I'm 
lucky if it goes over 0.1. :-)

-- 
Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.
                    My account, My opinions.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users