Snort mailing list archives
Re: IDS Topology
From: Bennett Todd <bet () rahul net>
Date: Fri, 10 Jan 2003 10:14:17 -0500
2003-01-09T20:36:09 Saul Bosquez:
[...] I'm trying to install snort 1.8.7 [...]
Don't Do That [tm]. Snort 1.8.x has been obsolete since 1.9.0 was released last October (despite the .0 release number, 1.9.0 was exceedingly stable, as it had a nice long leisurely beta:-). Sometime after then, but well before the end of last year, 1.8.x rule updates tapered off and stopped. Now you can no longer download updated rules files for 1.8.x snort. Install 1.9.0. Or, if it's available when you visit www.snort.org to download, 1.9.1, which I've heared rumoured for a week or two, but haven't yet seen. As for the question of where to put the DB, I'm not an ACID user (I syslog to a RiskManager console), but here's the way to think about it. Snort -(rdbms)-> DB <-(rdbms)- ACID <-(X11)- X server The arrows indicate the direction in which TCP connections are established, the (parens) describe the protocol. You want your snort outside the firewall. You want your display ("X server" in the above diagram) on your desk, presumably. If your box has the horsepower to spare (you don't mention details, most importantly how much bandwidth you're snorting), then you are more or less free to decide which bits lie where. The two performance-critical bits (i.e. the ones that will fight for resources like cats and dogs) are going to be snort and the DB; unless you've got very little bandwidth to worry about (say, a T1 or two at most), you probably want to give them separate machines. The other consideration is the security of traffic. There's an appeal to not allowing that inbound RDBMS connection into a more tightly protected net, since RDBMSes aren't especially famous for the security of their implementations. For a small, single-sensor shop, I'd definitely park the DB alongside the sensor, outside the firewall, whether it was on the same box or on separate boxes. I'd probably run ACID on the DB box, and remote the display back by forwarding the X11 over ssh. In a larger setup, where you have snort sensors scattered about many external perimeters, you need to gather their traffic in to one collection point DB; I'd isolate that DB on a very individual net, and tunnel the traffic from the various sensors, probably using GRE with ACLs at the tunnel entry point. And again, I'd probably run ACID on the DB box, accessing it via ssh. No matter where you place the RDBMS, make sure you run packet filtering on that server to very tightly restrict which sources are permitted to try to connect to the DB. -Bennett
Attachment:
_bin
Description:
Current thread:
- IDS Topology Saul Bosquez (Jan 09)
- Re: IDS Topology Demetri Mouratis (Jan 09)
- Re: IDS Topology Saad Kadhi (Jan 09)
- Re: IDS Topology Demetri Mouratis (Jan 10)
- Re: IDS Topology Saad Kadhi (Jan 09)
- <Possible follow-ups>
- IDS Topology Saul Bosquez (Jan 09)
- Re: IDS Topology Erek Adams (Jan 09)
- Re: IDS Topology Bennett Todd (Jan 10)
- RE: IDS Topology James R. Hendrick (Jan 10)
- IDS Topology Saul Bosquez (Jan 10)
- Re: IDS Topology Demetri Mouratis (Jan 09)