Solved

Snort

Posted on 2009-05-11
5
854 Views
Last Modified: 2013-12-16
I am using snort 2.8.4.1 in Fedora 6 with two LAN card. I have some doubt about snort i have mentioned some question below.

My snort configuration

eth0= IP not set but it will up at boot time
eth1=192.168.1.30
In snort startup script i have mention the interface as eth0.
Snort running as service.

This is my question

1) If i need to monitor all my servers in my network, i need to configure snort in all the the server individually?

2) If any intrusion occur in my network or in any client pc in my network snort will alert?

3) snort alerting when i use nmap to scan port on snort pc but snort not alerting when i use nmap to scan port for other client pc or servers in my network.



0
Comment
Question by:rajasekarramasamy
  • 2
  • 2
5 Comments
 
LVL 1

Assisted Solution

by:Teacish
Teacish earned 62 total points
ID: 24362654
1) If you want to use snort to monitor network threats you will need to set one of the interfaces into monitor mode so it can capture data correctly. You should not need to put it on each machine to be able to detect intrusions. However if you have routing that prevents traffic from one network to another then you would need to set it up on a machine in each network.

2)Snort will only alert if it captures network traffic that it thinks is an attempt to attack a machine.This is based on the signature database. If something is happening locally on a machine then it will not alert.

3) Unless that interface is plugged into a hub then you will need to configure the switch to allow monitoring on that port. For example with a cisco switch you will need to set up port spanning or you will only see a very limited amount of traffic.

Hope this helps.



0
 

Author Comment

by:rajasekarramasamy
ID: 24363593
Thanks for your reply.

It possible to configure snort as a Host based intrusion detection system?


0
 
LVL 1

Expert Comment

by:Teacish
ID: 24374434
Yes it is possible to configure snort as a host based IDS.

Unfortunately i have not configured it this way myself. I shall see if i can find you some links that may help.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 63 total points
ID: 24400991
Make sure your snort.conf file reflects the proper path and make sure scan rules are not commented out:
#include $RULE_PATH/scan.rules <-- uncomment this line
and in the scan.rules file too, uncomment line 37
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)

Try to have snort output alerts to the console
snort -ieth0 -c/path/to/snort.conf -l/path/to/snort/log -Aconsole
(naturally fill in the /path /to... with the right paths for you like /usr/local/snort/snort.conf)
you should see activity that way. A good nmap scan to set that off is:
nmap -sX -P0 -T5 ip.ip.ip.ip (that will set off 1000 alerts)
try this for less alerts (naturally replace ip.ip.ip.ip with a dns name or ip of a machine)
nmap -sX -P0 -T5 ip.ip.ip.ip -p 22,80,443
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24401014
Oh and it's probably more efficient to have one mirrored port on the switch, as indicated above, cisco calls it a span port or port monitor http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml 
Other switch makers call it port mirror as well...
http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-policy/html/sampling-config21.html
installing BASE makes snort easy to work with. If your deploying a lot of sensors to different switches I recommend AAnvil as a front-end to snort, it does a good job of aggregating all the sensors.
-rich
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question