Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 878
  • Last Modified:

Snort

I am using snort 2.8.4.1 in Fedora 6 with two LAN card. I have some doubt about snort i have mentioned some question below.

My snort configuration

eth0= IP not set but it will up at boot time
eth1=192.168.1.30
In snort startup script i have mention the interface as eth0.
Snort running as service.

This is my question

1) If i need to monitor all my servers in my network, i need to configure snort in all the the server individually?

2) If any intrusion occur in my network or in any client pc in my network snort will alert?

3) snort alerting when i use nmap to scan port on snort pc but snort not alerting when i use nmap to scan port for other client pc or servers in my network.



0
rajasekarramasamy
Asked:
rajasekarramasamy
  • 2
  • 2
2 Solutions
 
TeacishCommented:
1) If you want to use snort to monitor network threats you will need to set one of the interfaces into monitor mode so it can capture data correctly. You should not need to put it on each machine to be able to detect intrusions. However if you have routing that prevents traffic from one network to another then you would need to set it up on a machine in each network.

2)Snort will only alert if it captures network traffic that it thinks is an attempt to attack a machine.This is based on the signature database. If something is happening locally on a machine then it will not alert.

3) Unless that interface is plugged into a hub then you will need to configure the switch to allow monitoring on that port. For example with a cisco switch you will need to set up port spanning or you will only see a very limited amount of traffic.

Hope this helps.



0
 
rajasekarramasamyAuthor Commented:
Thanks for your reply.

It possible to configure snort as a Host based intrusion detection system?


0
 
TeacishCommented:
Yes it is possible to configure snort as a host based IDS.

Unfortunately i have not configured it this way myself. I shall see if i can find you some links that may help.
0
 
Rich RumbleSecurity SamuraiCommented:
Make sure your snort.conf file reflects the proper path and make sure scan rules are not commented out:
#include $RULE_PATH/scan.rules <-- uncomment this line
and in the scan.rules file too, uncomment line 37
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)

Try to have snort output alerts to the console
snort -ieth0 -c/path/to/snort.conf -l/path/to/snort/log -Aconsole
(naturally fill in the /path /to... with the right paths for you like /usr/local/snort/snort.conf)
you should see activity that way. A good nmap scan to set that off is:
nmap -sX -P0 -T5 ip.ip.ip.ip (that will set off 1000 alerts)
try this for less alerts (naturally replace ip.ip.ip.ip with a dns name or ip of a machine)
nmap -sX -P0 -T5 ip.ip.ip.ip -p 22,80,443
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
Oh and it's probably more efficient to have one mirrored port on the switch, as indicated above, cisco calls it a span port or port monitor http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml 
Other switch makers call it port mirror as well...
http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-policy/html/sampling-config21.html
installing BASE makes snort easy to work with. If your deploying a lot of sensors to different switches I recommend AAnvil as a front-end to snort, it does a good job of aggregating all the sensors.
-rich
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now