?
Solved

Snort

Posted on 2009-05-11
5
Medium Priority
?
866 Views
Last Modified: 2013-12-16
I am using snort 2.8.4.1 in Fedora 6 with two LAN card. I have some doubt about snort i have mentioned some question below.

My snort configuration

eth0= IP not set but it will up at boot time
eth1=192.168.1.30
In snort startup script i have mention the interface as eth0.
Snort running as service.

This is my question

1) If i need to monitor all my servers in my network, i need to configure snort in all the the server individually?

2) If any intrusion occur in my network or in any client pc in my network snort will alert?

3) snort alerting when i use nmap to scan port on snort pc but snort not alerting when i use nmap to scan port for other client pc or servers in my network.



0
Comment
Question by:rajasekarramasamy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Assisted Solution

by:Teacish
Teacish earned 248 total points
ID: 24362654
1) If you want to use snort to monitor network threats you will need to set one of the interfaces into monitor mode so it can capture data correctly. You should not need to put it on each machine to be able to detect intrusions. However if you have routing that prevents traffic from one network to another then you would need to set it up on a machine in each network.

2)Snort will only alert if it captures network traffic that it thinks is an attempt to attack a machine.This is based on the signature database. If something is happening locally on a machine then it will not alert.

3) Unless that interface is plugged into a hub then you will need to configure the switch to allow monitoring on that port. For example with a cisco switch you will need to set up port spanning or you will only see a very limited amount of traffic.

Hope this helps.



0
 

Author Comment

by:rajasekarramasamy
ID: 24363593
Thanks for your reply.

It possible to configure snort as a Host based intrusion detection system?


0
 
LVL 1

Expert Comment

by:Teacish
ID: 24374434
Yes it is possible to configure snort as a host based IDS.

Unfortunately i have not configured it this way myself. I shall see if i can find you some links that may help.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 252 total points
ID: 24400991
Make sure your snort.conf file reflects the proper path and make sure scan rules are not commented out:
#include $RULE_PATH/scan.rules <-- uncomment this line
and in the scan.rules file too, uncomment line 37
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)

Try to have snort output alerts to the console
snort -ieth0 -c/path/to/snort.conf -l/path/to/snort/log -Aconsole
(naturally fill in the /path /to... with the right paths for you like /usr/local/snort/snort.conf)
you should see activity that way. A good nmap scan to set that off is:
nmap -sX -P0 -T5 ip.ip.ip.ip (that will set off 1000 alerts)
try this for less alerts (naturally replace ip.ip.ip.ip with a dns name or ip of a machine)
nmap -sX -P0 -T5 ip.ip.ip.ip -p 22,80,443
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24401014
Oh and it's probably more efficient to have one mirrored port on the switch, as indicated above, cisco calls it a span port or port monitor http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml 
Other switch makers call it port mirror as well...
http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-policy/html/sampling-config21.html
installing BASE makes snort easy to work with. If your deploying a lot of sensors to different switches I recommend AAnvil as a front-end to snort, it does a good job of aggregating all the sensors.
-rich
0

Featured Post

Setting up LaraDock for Laravel

Learn how to set up LaraDock in a Laravel project - LaraDock gives us an easy way to run a Laravel application using Docker in a single command.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Make the most of your online learning experience.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question