Best hardware setup for snort
 

Hi, I plan to implement a server which will have an external interface and an internal one. I've been reading that snort operates in promiscious mode - how can I have the interface running in promiscious mode and have other services running (e.g I plan to have cacti operating on the internal interface). Perhaps I've misunderstood something, but I didn't know you could have processes running while an interface is in promiscious mode? Perhaps I need a third port which just sniffs snort traffic or something?

also any guidance on setting snort up at all? Anything at all would be much appreciated...

You can have processes running on an interface configured for promiscuous mode, yeah. It's not a best practice, though.

So yeah, a dedicated interface is best.

For setting up snort, snort.org is a great help, as is the included documentation within the snort package. Be prepared for lots of googling, as this software is NOT plug N play. As for best hardware, it depends on what you plan on doing. I've run a snort setup on an internal segment (and DMZ) on a P200 under OpenBSD and snort operated fine, but this was within a home environment...such a setup will cause problems in a business environment.

So best practise would be 4 NIC's then?! One for external management, one for internal services such as cacti and two for both internal and external snort. Can I bridge them or segregate by vlan or do something a little... cheaper?

I'd suggest dedicating a server for snort so it will be separate from your gateway device, as right now, it seems that you want to run everything on one box...its doable but if something happens to your gateway, it may affect your snort setup also. The snort server should have two interfaces, one for internal monitoring and one for external monitoring. Run a cable from each, plugging into a switch/router/hub that is capable of enabling sniffing. The external interface will monitor traffic before the gateway/firewall while the internal interface will plug into the network right after the firewall.

If you'd like a less complicated setup, you can settle for internal monitoring only, as external monitoring may not be needed if you've got a hardcore firewall setup. Do a risk assessment to better determine your needs regarding your snort setup.

You can do almost anything you'd like. In fact, you can do what you initially proposed...there are risks involved, though, which is why I mentioned risk assessment.

What is this for? A commercial environment or a home network? What's your goal? To learn or to secure (or both). Answering those questions can help people give you better answers.

I was reading that and suddenly it clicked and I realised exactly what you meant with the gateway stuff, in order for external traffic to be sniffed it would have to be at a high level between a pix and a webserver and thus would be a single point of failure. I reckon just running it internally would be significantly safter.

Thanks very much for your advice

No problem! I'm glad I could help! Good luck in your endeavors as a snort admin...as frustrating as things can sometimes get with configuring snort, there the reward of accomplishment when things finally come together!

I'll probably give it a shot virtually or something so I've got some idea what I'm doing when I go live.