Re: IDS Topology

[Bennett Todd <bet () rahul net>]

2003-01-09T20:36:09 Saul Bosquez:
> [...] I'm trying to install snort 1.8.7 [...]

Don't Do That [tm].

Snort 1.8.x has been obsolete since 1.9.0 was released last October
(despite the .0 release number, 1.9.0 was exceedingly stable, as it
had a nice long leisurely beta:-).

Sometime after then, but well before the end of last year, 1.8.x
rule updates tapered off and stopped. Now you can no longer download
updated rules files for 1.8.x snort.

Install 1.9.0. Or, if it's available when you visit www.snort.org to
download, 1.9.1, which I've heared rumoured for a week or two, but
haven't yet seen.

As for the question of where to put the DB, I'm not an ACID user (I
syslog to a RiskManager console), but here's the way to think about
it.

Snort -(rdbms)-> DB <-(rdbms)- ACID <-(X11)- X server

The arrows indicate the direction in which TCP connections are
established, the (parens) describe the protocol.

You want your snort outside the firewall. You want your display ("X
server" in the above diagram) on your desk, presumably.

If your box has the horsepower to spare (you don't mention details,
most importantly how much bandwidth you're snorting), then you are
more or less free to decide which bits lie where.

The two performance-critical bits (i.e. the ones that will fight for
resources like cats and dogs) are going to be snort and the DB;
unless you've got very little bandwidth to worry about (say, a T1 or
two at most), you probably want to give them separate machines.

The other consideration is the security of traffic. There's an
appeal to not allowing that inbound RDBMS connection into a more
tightly protected net, since RDBMSes aren't especially famous for
the security of their implementations. For a small, single-sensor
shop, I'd definitely park the DB alongside the sensor, outside the
firewall, whether it was on the same box or on separate boxes. I'd
probably run ACID on the DB box, and remote the display back by
forwarding the X11 over ssh.

In a larger setup, where you have snort sensors scattered about many
external perimeters, you need to gather their traffic in to one
collection point DB; I'd isolate that DB on a very individual net,
and tunnel the traffic from the various sensors, probably using GRE
with ACLs at the tunnel entry point. And again, I'd probably run
ACID on the DB box, accessing it via ssh.

No matter where you place the RDBMS, make sure you run packet
filtering on that server to very tightly restrict which sources are
permitted to try to connect to the DB.

-Bennett

Attachment: _bin
Description: