Solved

Snort

Posted on 2009-05-11
5
860 Views
Last Modified: 2013-12-16
I am using snort 2.8.4.1 in Fedora 6 with two LAN card. I have some doubt about snort i have mentioned some question below.

My snort configuration

eth0= IP not set but it will up at boot time
eth1=192.168.1.30
In snort startup script i have mention the interface as eth0.
Snort running as service.

This is my question

1) If i need to monitor all my servers in my network, i need to configure snort in all the the server individually?

2) If any intrusion occur in my network or in any client pc in my network snort will alert?

3) snort alerting when i use nmap to scan port on snort pc but snort not alerting when i use nmap to scan port for other client pc or servers in my network.



0
Comment
Question by:rajasekarramasamy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Assisted Solution

by:Teacish
Teacish earned 62 total points
ID: 24362654
1) If you want to use snort to monitor network threats you will need to set one of the interfaces into monitor mode so it can capture data correctly. You should not need to put it on each machine to be able to detect intrusions. However if you have routing that prevents traffic from one network to another then you would need to set it up on a machine in each network.

2)Snort will only alert if it captures network traffic that it thinks is an attempt to attack a machine.This is based on the signature database. If something is happening locally on a machine then it will not alert.

3) Unless that interface is plugged into a hub then you will need to configure the switch to allow monitoring on that port. For example with a cisco switch you will need to set up port spanning or you will only see a very limited amount of traffic.

Hope this helps.



0
 

Author Comment

by:rajasekarramasamy
ID: 24363593
Thanks for your reply.

It possible to configure snort as a Host based intrusion detection system?


0
 
LVL 1

Expert Comment

by:Teacish
ID: 24374434
Yes it is possible to configure snort as a host based IDS.

Unfortunately i have not configured it this way myself. I shall see if i can find you some links that may help.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 63 total points
ID: 24400991
Make sure your snort.conf file reflects the proper path and make sure scan rules are not commented out:
#include $RULE_PATH/scan.rules <-- uncomment this line
and in the scan.rules file too, uncomment line 37
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)

Try to have snort output alerts to the console
snort -ieth0 -c/path/to/snort.conf -l/path/to/snort/log -Aconsole
(naturally fill in the /path /to... with the right paths for you like /usr/local/snort/snort.conf)
you should see activity that way. A good nmap scan to set that off is:
nmap -sX -P0 -T5 ip.ip.ip.ip (that will set off 1000 alerts)
try this for less alerts (naturally replace ip.ip.ip.ip with a dns name or ip of a machine)
nmap -sX -P0 -T5 ip.ip.ip.ip -p 22,80,443
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24401014
Oh and it's probably more efficient to have one mirrored port on the switch, as indicated above, cisco calls it a span port or port monitor http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml 
Other switch makers call it port mirror as well...
http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-policy/html/sampling-config21.html
installing BASE makes snort easy to work with. If your deploying a lot of sensors to different switches I recommend AAnvil as a front-end to snort, it does a good job of aggregating all the sensors.
-rich
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question