Solved

Snort

Posted on 2009-05-11
5
851 Views
Last Modified: 2013-12-16
I am using snort 2.8.4.1 in Fedora 6 with two LAN card. I have some doubt about snort i have mentioned some question below.

My snort configuration

eth0= IP not set but it will up at boot time
eth1=192.168.1.30
In snort startup script i have mention the interface as eth0.
Snort running as service.

This is my question

1) If i need to monitor all my servers in my network, i need to configure snort in all the the server individually?

2) If any intrusion occur in my network or in any client pc in my network snort will alert?

3) snort alerting when i use nmap to scan port on snort pc but snort not alerting when i use nmap to scan port for other client pc or servers in my network.



0
Comment
Question by:rajasekarramasamy
  • 2
  • 2
5 Comments
 
LVL 1

Assisted Solution

by:Teacish
Teacish earned 62 total points
Comment Utility
1) If you want to use snort to monitor network threats you will need to set one of the interfaces into monitor mode so it can capture data correctly. You should not need to put it on each machine to be able to detect intrusions. However if you have routing that prevents traffic from one network to another then you would need to set it up on a machine in each network.

2)Snort will only alert if it captures network traffic that it thinks is an attempt to attack a machine.This is based on the signature database. If something is happening locally on a machine then it will not alert.

3) Unless that interface is plugged into a hub then you will need to configure the switch to allow monitoring on that port. For example with a cisco switch you will need to set up port spanning or you will only see a very limited amount of traffic.

Hope this helps.



0
 

Author Comment

by:rajasekarramasamy
Comment Utility
Thanks for your reply.

It possible to configure snort as a Host based intrusion detection system?


0
 
LVL 1

Expert Comment

by:Teacish
Comment Utility
Yes it is possible to configure snort as a host based IDS.

Unfortunately i have not configured it this way myself. I shall see if i can find you some links that may help.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 63 total points
Comment Utility
Make sure your snort.conf file reflects the proper path and make sure scan rules are not commented out:
#include $RULE_PATH/scan.rules <-- uncomment this line
and in the scan.rules file too, uncomment line 37
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)

Try to have snort output alerts to the console
snort -ieth0 -c/path/to/snort.conf -l/path/to/snort/log -Aconsole
(naturally fill in the /path /to... with the right paths for you like /usr/local/snort/snort.conf)
you should see activity that way. A good nmap scan to set that off is:
nmap -sX -P0 -T5 ip.ip.ip.ip (that will set off 1000 alerts)
try this for less alerts (naturally replace ip.ip.ip.ip with a dns name or ip of a machine)
nmap -sX -P0 -T5 ip.ip.ip.ip -p 22,80,443
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Oh and it's probably more efficient to have one mirrored port on the switch, as indicated above, cisco calls it a span port or port monitor http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
Other switch makers call it port mirror as well...
http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-policy/html/sampling-config21.html
installing BASE makes snort easy to work with. If your deploying a lot of sensors to different switches I recommend AAnvil as a front-end to snort, it does a good job of aggregating all the sensors.
-rich
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now