Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Helper Apps.

From: Erek Adams <erek () snort org>
Date: Wed, 19 Mar 2003 19:10:06 -0500 (EST)
On Wed, 19 Mar 2003, Angel Gabriel wrote:


Thank you for the replies regarding the best way to roll out snort in a
switched environment.
After studying the schematics for the network in question, i have noticed two
spots that all data travels to and from... the gateway, and the email server.
They have several NIC's in them that connect to every switch. (or so I have
been told, I didn't wire this place up!) I'm sure it's just a matter of
configuration on the switchs to allow all data to pass to these servers, in
which case they would be ideal for IDS.


Ummm....  Not really.  The best 'spot' for an IDS is on a standalone box.
You make one box a 'sensor' and then have it backend data to a 'management
console.'

A bit of advice from an old email admin turned security geek:  NEVER,
EVER, EVER place an IDS on something like an email server--That's just
begging for a lifetime supply of AntiAcid medicine.  Consider this:
Someone spams your company with a 100mb file going to all users.  Your
email server will be working it's little CPU off to deliver those
messages, junk them, or whatever--Leaving few (if any) cycles for Snort.
So now snort is dropping packets...  So now you are blind.  Not exactly
what you would really want is it?

Gateway box?  Ummm...  Again, it's a matter of resource contention.  What
the other processes use, Snort can't have.  What Snort uses, the other
processes don't get.  It's a Catch-22 for the most part.

On very lightly loaded networks, that might be doable....  But from what
you're saying about multi-nics to multi-switches, I don't think you've got
a small shop.

Your best scenario would be to have a single dedicated box as a sensor,
placed on/in the network in such a way that it can see 'all traffic.'  If
you're using a Cisco switch, you can configure a port to be in SPAN mode.
Simply plug your IDS in there and you're in business.  Other switches have
the same functionality, but under different names--Span, mirror, monitor,
network supervisor port, etc.  Place the Snort box on that port with a
'stealth' interface.  Have a second NIC going to a private backend
management network where your data collector/management console is
located.  Send all data to the backend using something like BarnYard so
you don't have to worry about data loss.  Use whatever front end for
viewing/correlating the data that you wish.


What I would like to ask, is what are the best helper apps for snort, and are
any of them web based?


To be 100% honest:  Forget about 'helper apps'.  For you to have an
effective IDS you need to understand what/why/how it's doing things.
Front ends tend to 'dumb down' the user.  Learn Snort and how/why/what
it's doing before even considering a front end.  Things like ACID, Webmin,
DeMarc, IDSCenter, etc. are all great apps--I'm not trying to say they
aren't.  I'm just trying to say putting a pretty web front end on Snort
doesn't help you understand anything.  Running Snort isn't that hard, it's
the understandings of the data that's difficult.

I'd suggest that you put Snort on a machine that's directly connected to
the internet.  Don't try to sniff the whole net at this point.  Just fire
it up on your laptop while on DSL or a Cable Modem.  That will give you a
feel for what's going on, and what kind of things you will see.  Once you
feel comfortable with Snort, then build out a sensor and install it where
it's needed.  Only after you have Snort up and running should you worry
with a frontend.  Front ends are just pretty faces on the same old ugly
command lines.  :)

Hope that gives you some insight into the mind of a madman.  ;-)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: