Solved

SNORT IDS

Posted on 2010-11-15
8
702 Views
Last Modified: 2013-11-29
hi i have configured snort its working fine. now I want to do few things ie

1:- If any one from outside tried to intrude in some devices like router its mail that ip to admin email id
2:- if there is some attack like dos etc it mail id to admin and block the ip

could any one tell me how to do that and how to make rule to  fullfill above creteria and run snort in IDS mode
0
Comment
Question by:NeerVerma
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 34144184
you need flexresp feature compiled in snort and then edit config files.
no need to block attacks that do not reach any service
danger to block icmp parameters or udp, as they can be easily forget to make you lock out yourself.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 34145159
SnortSam can also be used to update firewalls, but if your snort is listening on the outside exclusively your doomed to fail. The outside is under constant attack, and following up on the alerts is practically a waste of time, most times the data never makes it thru the firewall or routers ACL's, but snort will see these dozens if not hundreds of attacks and log/alert on them, but if they don't get through, it's a false positive. We find it's best to put the firewall on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat. DDoS is probably not something you can handle as a customer, the ISP is better suited to address such blocks and they are equiped (typically) do see the traffic and do something about it more than a firewall rule is. If it's 2-3 host's your firewall logs should be able to show you that, and then adding a drop rule for them makes sense. Sending RST packets via snort is one way to deal with it, but often it's spoofed src information so the RST never reaches it's destination.
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 34145166
correction > We find it's best to put the firewall on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat.
Should read
We find it's best to put SNORT on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat.
-rich
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:NeerVerma
ID: 34147983
how i can configured email address so that in case of alert it mail it to admin
0
 

Author Comment

by:NeerVerma
ID: 34169251
could any one let me know how i snort can send alerts to my email id
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 34169456
You need to use an alternate program to email snort alerts, whatever your frontend is for snort, which could be Base, Aanval, Snorby or Sguil. Snort itself lacks the ability.
-rich
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34375912
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question