Snort mailing list archives
RE: Can Snort monitor multiple VLANs from a single box?
From: "Escudero, Peter Louis" <peterlouis.escudero () eds com>
Date: Thu, 7 Apr 2005 11:26:15 -0400
Thanks for the catch-all rule, Eric. Our problem is solved. I forgot that in snort.conf some rules are disabled by default to account for site policy & reduce false positives. Once we enabled all of them we started getting alerts from the switches & the Windows servers. There was nothing wrong with nmap or the switches after all :) BTW, we've started using NeWT (Nessus for Windows Technology) v2.1, from Tenable Security, to do our scanning. I think it's better than nmap, & I can run it standalone from my laptop. It even tells me what to do if it finds a security hole. Thanks again everyone for your help. Peter Escudero -----Original Message----- From: Eric Maheo [mailto:eric.maheo () appliedwatch com] Sent: Wednesday, April 06, 2005 1:51 PM To: Escudero, Peter Louis Subject: RE: [Snort-users] Can Snort monitor multiple VLANs from a single box? On Wed, 2005-04-06 at 12:24 -0400, Escudero, Peter Louis wrote:
Many thanks to all who gave advice. It now looks like the scanner tool
we're using (nmap v3.81) might be the root cause of the problem.
Well what I will do is a rule for snort that can catch a lot of events, kind of catch-all rule on a port... like : alert tcp any any -> any $HTTP_PORTS (msg:"test http"; classtype:attempted-admin; sid:3000000; rev:1;) add this in your local.rules and add an entry (3000000 || test http) in your sid-msg.map if you use barnyard and restart your agent. This will capture all traffic on port 80.... so just let this rule a few minutes or seconds...and you can monitor your snort log file with a tail -f <file_name> I think but not sure tho... but it seems that you cannot scan your own network and generate alerts with snort. I don't where but there are some options for that in the preprocessor portscan, flow.... Anyway this rule will tell you for sure that your installation and configuration with your snort is ok. Well I will also do a tcpdump -i interface port 80 and if you see some traffic on your console well the snort rule I gave you will log the same traffic. Once it works fine you can investigate other part of your installation to see why when you nmap it doesn't do what you expect... I hope it helps. -- Eric Maheo Vice President of Engineering, Applied Watch Technologies, LLC 1134 N. Main St. Algonquin, IL 60102 Tel: (877) 262-7593 x324 Fax: (877) 262-7593 Email: eric.maheo () appliedwatch com Web: http://www.appliedwatch.com
On one Cisco 2950 switch we used nmap to scan a bunch of Sun Solaris boxes, & snort was able to capture the alerts & send them to the MySQL
database on another box. But when we tried to scan the switch itself, as well as its failover partner, snort didn't see anything. The other Cisco 2950 switch that's being monitored by another snort instance is also a 2950, but it only has a Cisco PIX, a switch & a Cisco CSS on it
(no servers). Snort didn't see anything from that switch, either. The Cisco GigE switch has several Windows servers on it, but again snort didn't capture any alerts. So my question is, what options should we use with nmap to simulate attacks on switches, firewalls, routers & Windows boxes, so we can generate alerts that snort can capture? The syntax we've been using is "nmap -v -A -T5 <targets>". On the 1st switch above, we tried all the relevant options available, to no avail. Peter Escudero ______________________________________________________________________ From: Basselgia, Barry A Mr (NAF Atsugi) [mailto:BABasselgia () atsugi navy mil] Sent: Tuesday, April 05, 2005 4:49 PM To: Peter Barton; Snort-users () lists sourceforge net; Escudero, Peter Louis Subject: RE: [Snort-users] Can Snort monitor multiple VLANs? I think that it depend on how you have the monitoring/span port on the Cisco switches configured. If the port is configured to send the traffic to the snort box, I don't know why it wouldn't work. If you try to monitor a GIG switch with a 10/100 interface in your snort box, the switch is going to start dropping packets when traffic gets to much for the 10/100 interface. I have a snort sensor running on a Dell Precision 340 with 6 network interfaces, 4 GIG and 2 10/100. I'm running SuSE 9.1 and snort 2.3.2. I have the 4 GIG interfaces bonded together as bond0 and bond1, I'm using taps with these interfaces. One of the 10/100 ports is monitoring a Cisco switch, the other is my management interface. I have an 3 instances of snort and barnyard running, 1 each for eth0, bond0, and bond1. I'm using the same snort config file and rules for all 3 instances. The startup/sysconfig scripts provided with snort 2.3.2 work nicely for this. Just copied the files to init.d and sysconfig. In the sysconfig/snort file I have INTERFACE="eth0 bond0 bond1". The snortd script then starts 3 instances of snort with no problem. The unified log files end up in: /var/log/snort/eth0 /var/log/snort/bond0 /var/log/snort/bond1 I then setup 3 barnyard config files, barnyard-eth0.conf, barnyard-bond0.conf, and barnyard-bond1.conf to process the unified logs into a mysql database on a different machine. I copied the snortd script to barnyardd and modified it to start barnyard instead of snort. Everything works pretty good. The whole trick to getting the above to work, is you have to have enough memory in your snort box. When I first set this up, I was dropping a lot of packets, but I only had 256meg of memory. I upgraded to 512meg and the packet drop rate when down. I've got memory on order to take the system to 1gig, I think that will really help. Barry -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Peter Barton Sent: Wednesday, April 06, 2005 1:02 AM To: Snort-users () lists sourceforge net Subject: RE: [Snort-users] Can Snort monitor multiple VLANs? If you are having Snort log directly to MySql then the easiest way to do it is to have multiple instances of Snort running, one for each interface. My question to everyone is, what if you use Barnyard to write to MySql and have Snort just write to binary files. I still have multiple instances of Snort running, but I can only seem to get one instance of Barnyard running. Is there a trick to this or am I just going about this the wrong way? Thanks, Peter Barton ______________________________________________________ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Escudero, Peter Louis Sent: Tuesday, April 05, 2005 10:54 AM To: Snort-users () lists sourceforge net Subject: [Snort-users] Can Snort monitor multiple VLANs? Our IDS box is a Dell PE750 running SuSE Linux 9.1 Pro & snort v2.1.x, with a quad 10/100 NIC card. Three of the ports are hooked up to 3 different Cisco switches, representing 3 different VLANs. We're able to capture alerts from one switch, but not from the others. Is snort able to monitor different VLANs? Or do we need a separate IDS box for each VLAN? Any info you can provide will be greatly appreciated. Peter Escudero
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Can Snort monitor multiple VLANs from a single box? Escudero, Peter Louis (Apr 07)