Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SNORT IDS

Posted on 2010-11-15
8
Medium Priority
?
730 Views
Last Modified: 2013-11-29
hi i have configured snort its working fine. now I want to do few things ie

1:- If any one from outside tried to intrude in some devices like router its mail that ip to admin email id
2:- if there is some attack like dos etc it mail id to admin and block the ip

could any one tell me how to do that and how to make rule to  fullfill above creteria and run snort in IDS mode
0
Comment
Question by:NeerVerma
8 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 34144184
you need flexresp feature compiled in snort and then edit config files.
no need to block attacks that do not reach any service
danger to block icmp parameters or udp, as they can be easily forget to make you lock out yourself.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 34145159
SnortSam can also be used to update firewalls, but if your snort is listening on the outside exclusively your doomed to fail. The outside is under constant attack, and following up on the alerts is practically a waste of time, most times the data never makes it thru the firewall or routers ACL's, but snort will see these dozens if not hundreds of attacks and log/alert on them, but if they don't get through, it's a false positive. We find it's best to put the firewall on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat. DDoS is probably not something you can handle as a customer, the ISP is better suited to address such blocks and they are equiped (typically) do see the traffic and do something about it more than a firewall rule is. If it's 2-3 host's your firewall logs should be able to show you that, and then adding a drop rule for them makes sense. Sending RST packets via snort is one way to deal with it, but often it's spoofed src information so the RST never reaches it's destination.
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 34145166
correction > We find it's best to put the firewall on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat.
Should read
We find it's best to put SNORT on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat.
-rich
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 

Author Comment

by:NeerVerma
ID: 34147983
how i can configured email address so that in case of alert it mail it to admin
0
 

Author Comment

by:NeerVerma
ID: 34169251
could any one let me know how i snort can send alerts to my email id
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 2000 total points
ID: 34169456
You need to use an alternate program to email snort alerts, whatever your frontend is for snort, which could be Base, Aanval, Snorby or Sguil. Snort itself lacks the ability.
-rich
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 34375912
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question