Snort mailing list archives
Re: Helper Apps.
From: Erek Adams <erek () snort org>
Date: Wed, 19 Mar 2003 19:10:06 -0500 (EST)
On Wed, 19 Mar 2003, Angel Gabriel wrote:
Thank you for the replies regarding the best way to roll out snort in a switched environment. After studying the schematics for the network in question, i have noticed two spots that all data travels to and from... the gateway, and the email server. They have several NIC's in them that connect to every switch. (or so I have been told, I didn't wire this place up!) I'm sure it's just a matter of configuration on the switchs to allow all data to pass to these servers, in which case they would be ideal for IDS.
Ummm.... Not really. The best 'spot' for an IDS is on a standalone box. You make one box a 'sensor' and then have it backend data to a 'management console.' A bit of advice from an old email admin turned security geek: NEVER, EVER, EVER place an IDS on something like an email server--That's just begging for a lifetime supply of AntiAcid medicine. Consider this: Someone spams your company with a 100mb file going to all users. Your email server will be working it's little CPU off to deliver those messages, junk them, or whatever--Leaving few (if any) cycles for Snort. So now snort is dropping packets... So now you are blind. Not exactly what you would really want is it? Gateway box? Ummm... Again, it's a matter of resource contention. What the other processes use, Snort can't have. What Snort uses, the other processes don't get. It's a Catch-22 for the most part. On very lightly loaded networks, that might be doable.... But from what you're saying about multi-nics to multi-switches, I don't think you've got a small shop. Your best scenario would be to have a single dedicated box as a sensor, placed on/in the network in such a way that it can see 'all traffic.' If you're using a Cisco switch, you can configure a port to be in SPAN mode. Simply plug your IDS in there and you're in business. Other switches have the same functionality, but under different names--Span, mirror, monitor, network supervisor port, etc. Place the Snort box on that port with a 'stealth' interface. Have a second NIC going to a private backend management network where your data collector/management console is located. Send all data to the backend using something like BarnYard so you don't have to worry about data loss. Use whatever front end for viewing/correlating the data that you wish.
What I would like to ask, is what are the best helper apps for snort, and are any of them web based?
To be 100% honest: Forget about 'helper apps'. For you to have an effective IDS you need to understand what/why/how it's doing things. Front ends tend to 'dumb down' the user. Learn Snort and how/why/what it's doing before even considering a front end. Things like ACID, Webmin, DeMarc, IDSCenter, etc. are all great apps--I'm not trying to say they aren't. I'm just trying to say putting a pretty web front end on Snort doesn't help you understand anything. Running Snort isn't that hard, it's the understandings of the data that's difficult. I'd suggest that you put Snort on a machine that's directly connected to the internet. Don't try to sniff the whole net at this point. Just fire it up on your laptop while on DSL or a Cable Modem. That will give you a feel for what's going on, and what kind of things you will see. Once you feel comfortable with Snort, then build out a sensor and install it where it's needed. Only after you have Snort up and running should you worry with a frontend. Front ends are just pretty faces on the same old ugly command lines. :) Hope that gives you some insight into the mind of a madman. ;-) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Helper Apps. Angel Gabriel (Mar 19)
- Re: Helper Apps. Erek Adams (Mar 19)