Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Hi, I plan to implement a server which will have an external interface and an internal one. I've been reading that snort operates in promiscious mode - how can I have the interface running in promiscious mode and have other services running (e.g I plan to have cacti operating on the internal interface). Perhaps I've misunderstood something, but I didn't know you could have processes running while an interface is in promiscious mode? Perhaps I need a third port which just sniffs snort traffic or something?
also any guidance on setting snort up at all? Anything at all would be much appreciated...
You can have processes running on an interface configured for promiscuous mode, yeah. It's not a best practice, though.
So yeah, a dedicated interface is best.
For setting up snort, snort.org is a great help, as is the included documentation within the snort package. Be prepared for lots of googling, as this software is NOT plug N play. As for best hardware, it depends on what you plan on doing. I've run a snort setup on an internal segment (and DMZ) on a P200 under OpenBSD and snort operated fine, but this was within a home environment...such a setup will cause problems in a business environment.
So best practise would be 4 NIC's then?! One for external management, one for internal services such as cacti and two for both internal and external snort. Can I bridge them or segregate by vlan or do something a little... cheaper?
I'd suggest dedicating a server for snort so it will be separate from your gateway device, as right now, it seems that you want to run everything on one box...its doable but if something happens to your gateway, it may affect your snort setup also. The snort server should have two interfaces, one for internal monitoring and one for external monitoring. Run a cable from each, plugging into a switch/router/hub that is capable of enabling sniffing. The external interface will monitor traffic before the gateway/firewall while the internal interface will plug into the network right after the firewall.
If you'd like a less complicated setup, you can settle for internal monitoring only, as external monitoring may not be needed if you've got a hardcore firewall setup. Do a risk assessment to better determine your needs regarding your snort setup.
You can do almost anything you'd like. In fact, you can do what you initially proposed...there are risks involved, though, which is why I mentioned risk assessment.
What is this for? A commercial environment or a home network? What's your goal? To learn or to secure (or both). Answering those questions can help people give you better answers.
I was reading that and suddenly it clicked and I realised exactly what you meant with the gateway stuff, in order for external traffic to be sniffed it would have to be at a high level between a pix and a webserver and thus would be a single point of failure. I reckon just running it internally would be significantly safter.
No problem! I'm glad I could help! Good luck in your endeavors as a snort admin...as frustrating as things can sometimes get with configuring snort, there the reward of accomplishment when things finally come together!