Snort mailing list archives
RE: Dual home IDS? ACID and send email alerts on one, IDS on the other.
From: "Jim Hendrick" <jrhendri () maine rr com>
Date: Sun, 24 Oct 2004 10:10:48 -0400
A couple of items you might want to consider: - where is the sensor located (in the network topology)? Does this imply any special requirements? - what do you want *from* the sensor? - Do you want to be able to send RST packets from the sensor? (active response) If so, you need to be physically able to do this. - what are the characteristics of the monitoring point itself? - Are you monitoring a simple half-duplex 100 Mb/s link? An Internet link where the traffic will never exceed 5 Mb/s ? A full-duplex Gigabit trunk of internal traffic? What I am basically saying is that there is no requirement to silence the interface or use a second NIC as far as snort is concerned. That decision must be made based on where the sensor is and what functionality you want from it. The security of the sensor itself must be taken into account (patch the box, disable or do not install unnecessary services, use good basic security including ssh or physical-only access, etc.) but do not mistake silencing a single interface with a layered security strategy for the server(s). Consider what is the risk to the sensor for being attacked or probed. Is it likely to be more vulnerable than if it were *not* a sensor? You can run snort on a server|workstation on an internal production network and that does not require a "silent" interface. Why would having a "silent" interface make it any more secure or provide snort any better performance *other than* to not have the communications to|from the sensor use that interface? However, if it is located where there *is* more risk (like on a firewall service net or even outside the firewall) or you simply want to physically isolate the traffic, you may well want to use multiple NICs and configure them to be as invisible and silent as possible. There are several options here: you can simply ifconfig an interface up, but give it no IP address you can custom create a "receive only" cable you can use specially designed network taps that are physically incapable of transmitting. (or are able to transmit, based again on your need) Thinking about being able to transmit or not is usually a decision made partially on security (if the interface cannot transmit, it is less vulnerable to attack, although a vulnerability that exploited something in the network processing itself could still succeed) and partially on your need to transmit from that interface (if you want to use the sensor as an intrusion *prevention* system by transmitting TCP resets to offending connections, obviously it will need to be able to transmit. This in itself is a complex and contentious decision that I won't go deeply into here. Simply consider that not all traffic *is* TCP (so a reset will be ineffective against it) and "single packet kills" will still make it past. To summarize - In a small setting (for example) I have used a sensor with one interface on the internal network (listening for potential problems that have made it through the firewall or initiating on the inside) and a second silenced interface outside the firewall (I choose not to do active response, and do not want an attacker to be able to gain information about the IDS itself through that interface) In another setting, I will be using a dedicated interface in conjunction with a copper Gigabit tap that interleaves both directions of traffic to a single link (using an aggregated tap since I am confident that the utilization on that link is low enough that I will be highly unlikely to have packet loss) Best of luck. Do some research and have fun! Jim Hendrick GCFW, GCIA, GCIH -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Marty Hauser Sent: Saturday, October 23, 2004 2:06 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Dual home IDS? ACID and send email alerts on one, IDS on the other. Greetings, Thanks to the great work of the group behind and Patrick S. Harper <mailto:patrick () internetsecurityguru com> , his procedures are very good and I have Fedora Core 2 and snort 2.2.0 running perfectly. There is nothing wrong with the IDS system, this question is on an enhancement. My manager configured the Cisco switch to mirror all traffic to one port. That's what we want, but I'm told that this port is IP-less and no traffic can flow into or out of the IDS system. The IDS system is connected to this port and working perfectly. The issue is the IDS system can't send emails or access the functional ACID website. I thought of adding a second NIC and directing SNORT to monitor this NIC instead and connect the original NIC to the network on a normal port and regain email and ACID website support. Have you guy's any guidance/ experience with resolving an issue like this? Any help would really be appreciated. Thanks, Marty Hauser
Current thread:
- Dual home IDS? ACID and send email alerts on one, IDS on the other. Marty Hauser (Oct 22)
- Re: Dual home IDS? ACID and send email alerts on one, IDS on the other. Jason Alexander (Oct 23)
- Re: Dual home IDS? ACID and send email alerts on one, IDS on the other. Sean Brown (Oct 23)
- Re: Dual home IDS? ACID and send email alerts on one, IDS on the other. Demetri Mouratis (Oct 23)
- RE: Dual home IDS? ACID and send email alerts on one, IDS on the other. Jim Hendrick (Oct 24)
- Re: Dual home IDS? ACID and send email alerts on one, IDS on the other. Alex Butcher, ISC/ISYS (Oct 25)