Snort mailing list archives
RE: Best Practices for external sensors
From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Fri, 18 Jun 2004 16:08:48 -0400
Hi Brad,
Best way to do it is put your monitor port on the span port of the
switch on the outside (or external) segment. Then put your management port
on the inside (or internal) segment of your network. Then bring up the
monitor interface with no IP address and arp ignore mode (stealth mode).
For example:
ifconfig eth1 -arp up
Next read up on IP tables and set a policy to drop all packets that come
to the monitor interface. This looks weird but what happens is snort gets
to inspect the packets before iptables drops them. So when snorts done the
sensor doesn't care what else is in the packet.
Lock down the rest of the sensor following whatever hardening policies
you have. If done right the only thing that can go wrong is if someone
gains access to your sensor from the inside.
Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107
-----Original Message-----
From: jonasb () alum rpi edu [mailto:jonasb () alum rpi edu]
Sent: June 17, 2004 9:05 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Best Practices for external sensors
I currently have a Snort infrastructure set up on my internal network with
several sensors managed via SnortCenter, logging to a centralized MySQL DB.
I am looking to deploy a sensor on our outside network (off of a mirrored
port on a switch). There are several firewalls with outside interfaces on
this switch.
I'm trying to get an idea of the best/most secure way to funnel alerts/logs
back into the network to our centralized logging server. I thought of some
type of VPN tunnel inbound, but my concern is that if the sensor were to be
compromised, there would be a direct path into the network. I obviously
don't want to multi-home the sensor inside/outside. Is my best bet just to
open up SQL connectivity from this external sensor to the inside DB on the
firewall and stream the alerts that way? If so, does anybody know of a way
of any type of wrapper that would encrypt these alerts?
Thanks
Brad
Current thread:
- Best Practices for external sensors jonasb (Jun 17)
- Re: Best Practices for external sensors Todd_Pratt (Jun 17)
- <Possible follow-ups>
- Re: Best Practices for external sensors M. Morgan (Jun 17)
- RE: Best Practices for external sensors Truax, Shawn (MBS) (Jun 18)