Re: Multi-sensor setup

[William Young <williamdyoung () gmail com>]

Even if you're tracking internal users to the internet, Snort is better
suited inside the firewall.  I assumed the firawall is providing dynamic
NAT.
Outside the firewall, all those users 'malicious or unwanted' activity will
be source IP'ed to the firewall. Keep it inside. You'll see everything you
need and the firewall logs will give you session drop assurance.

-wdy
--------------------------------
William Young

2009/7/22 Scott Elgram <SElgram () verifpoint com>

> As far as I know it will and right now I do have IPFW logging most of the
> denied connection attempts.  What prompted this whole exercise is that a
> few
> managers had come to me with concern about their employee's internet usage
> during business hours.  For the moment I have IPFW logging all the traffic
> from a few individuals of interest but it's not an ideal setup.  It was
> then
> that I remembered the fun I had with snort and ACID many years ago and
> thought that it might be a more ideal way to monitor outbound traffic. So,
> sense I was building one for that I figured I would add an IDS back into
> the
> loop too.
>
> -Scott
>
>
> -----Original Message-----
> From: Milo Velimirovic [mailto:milov () uwlax edu]
> Sent: Wednesday, July 22, 2009 2:28 PM
> To: SElgram () VerifPoint com
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Multi-sensor setup
>
> Instead of having a snort sensor to look at the trafic outside the
> firewall, how about having the firewall send syslog messages to a
> logging server. Your firewall will generate syslog, right? If you
> ratchet up the syslog level to warning or above you should see plenty.
>
>  - M
>
> On Jul 22, 2009, at 4:13 PM, Scott Elgram wrote:
>
> > I would like to see the traffic that is attempting to get through as
> > well
> > just so I know what sort of attacks or whatever is being attempted
> > against
> > my firewall.  As far as I know everything is hunky dory and anything
> > malicious isn't getting through but it's a bit like standing at the
> > edge of
> > a dark hole.  Sure, I'm fine where I am now but I have no iea what's
> > in the
> > hole.
> >
> > -Scott
> >
> > -----Original Message-----
> > From: Joel Esler [mailto:jesler () sourcefire com]
> > Sent: Wednesday, July 22, 2009 2:05 PM
> > To: SElgram () VerifPoint com
> > Cc: Richard Bejtlich; <snort-users () lists sourceforge net>
> > Subject: Re: [Snort-users] Multi-sensor setup
> >
> > Okay, I'll ask. Why do you want to compare traffic getting through?
> > Just sniff behind the firewall and then you know what's getting
> > through.
> >
> > --
> > Sent from my iPhone
> >
> > On Jul 22, 2009, at 3:13 PM, "Scott Elgram" <SElgram () VerifPoint com>
> > wrote:
> >
> > > Ideally I was thinking of attaching one interface just before my
> > > firewall on
> > > the internet side and the other just after the firewall on the
> > > internal
> > > network side.  I'd like to be able to view both the traffic that is
> > > attempting to get through the firewall on both sides and by
> > > comparison see
> > > what traffic is making it through.  I'm relatively new to snort so
> > > I'm not
> > > entirely sure if this is even a logical setup but I figured it was
> > > worth a
> > > try.
> > >
> > > -Scott
> > >
> > > -----Original Message-----
> > > From: Richard Bejtlich [mailto:taosecurity () gmail com]
> > > Sent: Wednesday, July 22, 2009 12:07 PM
> > > To: SElgram () verifpoint com; snort-users () lists sourceforge net
> > > Subject: Re: [Snort-users] Multi-sensor setup
> > >
> > > Hello,
> > >
> > > What do you expect to have xl0 and xl1 monitor?
> > >
> > > Richard
> > >
> > > On 7/22/09, Scott Elgram <SElgram () verifpoint com> wrote:
> > > > Hello,
> > > >
> > > >           I have recently completed a Snort install on FreeBSD but
> > > > I'm
> > > > unable to get it to do what I would like.  I have 3 interface cards
> > > > installed (fxp0, xl0, xl1) and my plan is to set up fxp0 with an IP
> > > address
> > > > for BASE and leave the other two as Snort sensors without IP
> > > > addresses in
> > > > "promisc -arp" mode.
> > > >
> > > > If I set snort_interface to either xl0 or xl1 Snort runs perfectly
> > > > fine
> > > for
> > > > the assigned interface but not at all for the unassigned interface,
> > > > obviously.  After some digging I found some posts that stated I
> > > > could
> > > > accomplish my goal by bridging the two interfaces, which I have
> > > > done with
> > > > the following in my rc.conf file:
> > > >
> > > > ----------------------------------
> > > >
> > > > cloned_interfaces="bridge0"
> > > >
> > > > ifconfig_bridge0="addm xl0 addm xl1 up"
> > > >
> > > > ifconfig_xl0="up promisc -arp"
> > > >
> > > > ifconfig_xl1="up promisc -arp"
> > > >
> > > > ----------------------------------
> > > >
> > > >
> > > >
> > > > However, this still does not log consistent data for the two
> > > > networks.
> > > With
> > > > snort_interface set to xl0, I ping through the network connected to
> > > > xl0
> > > and
> > > > I get all the data, if I ping through the network connected to xl1
> > > > I only
> > > > get two entries and then nothing after that.ever.  I get the same
> > > > result
> > > > with snort_interface set to bridge0.  Additionally, the 2 entries I
> > > > do get
> > > > from pinging through the xl1 network are logged as sensor xl0.
> > > >
> > > >
> > > >
> > > > Am I missing something, is this something snort can do?
> > > >
> > > >
> > > >
> > > > Thanks,
> > > >
> > > > -Scott
> > >
> > >
> > >
> > > ---
> > > ---
> > > ---
> > > ---------------------------------------------------------------------
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ----------------------------------------------------------------------------
> --
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Milo Velimirović,  Unix Computer Network Administrator
> 608.785.6618 Office -  608.386.2817 Cell
> University of Wisconsin - La Crosse
> La Crosse, Wisconsin 54601 USA   43 48 48 N 91 13 53 W
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users