Solved

SNORT IDS

Posted on 2010-11-15
8
689 Views
Last Modified: 2013-11-29
hi i have configured snort its working fine. now I want to do few things ie

1:- If any one from outside tried to intrude in some devices like router its mail that ip to admin email id
2:- if there is some attack like dos etc it mail id to admin and block the ip

could any one tell me how to do that and how to make rule to  fullfill above creteria and run snort in IDS mode
0
Comment
Question by:NeerVerma
8 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 34144184
you need flexresp feature compiled in snort and then edit config files.
no need to block attacks that do not reach any service
danger to block icmp parameters or udp, as they can be easily forget to make you lock out yourself.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 34145159
SnortSam can also be used to update firewalls, but if your snort is listening on the outside exclusively your doomed to fail. The outside is under constant attack, and following up on the alerts is practically a waste of time, most times the data never makes it thru the firewall or routers ACL's, but snort will see these dozens if not hundreds of attacks and log/alert on them, but if they don't get through, it's a false positive. We find it's best to put the firewall on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat. DDoS is probably not something you can handle as a customer, the ISP is better suited to address such blocks and they are equiped (typically) do see the traffic and do something about it more than a firewall rule is. If it's 2-3 host's your firewall logs should be able to show you that, and then adding a drop rule for them makes sense. Sending RST packets via snort is one way to deal with it, but often it's spoofed src information so the RST never reaches it's destination.
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 34145166
correction > We find it's best to put the firewall on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat.
Should read
We find it's best to put SNORT on the link between the firewall/router to the outside. Then you can be more assured that what snort saw was a real threat.
-rich
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 

Author Comment

by:NeerVerma
ID: 34147983
how i can configured email address so that in case of alert it mail it to admin
0
 

Author Comment

by:NeerVerma
ID: 34169251
could any one let me know how i snort can send alerts to my email id
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 34169456
You need to use an alternate program to email snort alerts, whatever your frontend is for snort, which could be Base, Aanval, Snorby or Sguil. Snort itself lacks the ability.
-rich
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34375912
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now