LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-21-2010, 10:05 AM   #1
genderbender
Member
 
Registered: Jan 2005
Location: US
Distribution: Centos, Ubuntu, Solaris, Redhat
Posts: 396

Rep: Reputation: 31
Best hardware setup for snort


Hi, I plan to implement a server which will have an external interface and an internal one. I've been reading that snort operates in promiscious mode - how can I have the interface running in promiscious mode and have other services running (e.g I plan to have cacti operating on the internal interface). Perhaps I've misunderstood something, but I didn't know you could have processes running while an interface is in promiscious mode? Perhaps I need a third port which just sniffs snort traffic or something?

also any guidance on setting snort up at all? Anything at all would be much appreciated...
 
Old 06-21-2010, 10:36 AM   #2
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
You can have processes running on an interface configured for promiscuous mode, yeah. It's not a best practice, though.

So yeah, a dedicated interface is best.

For setting up snort, snort.org is a great help, as is the included documentation within the snort package. Be prepared for lots of googling, as this software is NOT plug N play. As for best hardware, it depends on what you plan on doing. I've run a snort setup on an internal segment (and DMZ) on a P200 under OpenBSD and snort operated fine, but this was within a home environment...such a setup will cause problems in a business environment.
 
Old 06-21-2010, 10:39 AM   #3
genderbender
Member
 
Registered: Jan 2005
Location: US
Distribution: Centos, Ubuntu, Solaris, Redhat
Posts: 396

Original Poster
Rep: Reputation: 31
So best practise would be 4 NIC's then?! One for external management, one for internal services such as cacti and two for both internal and external snort. Can I bridge them or segregate by vlan or do something a little... cheaper?
 
Old 06-21-2010, 11:25 AM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
I'd suggest dedicating a server for snort so it will be separate from your gateway device, as right now, it seems that you want to run everything on one box...its doable but if something happens to your gateway, it may affect your snort setup also. The snort server should have two interfaces, one for internal monitoring and one for external monitoring. Run a cable from each, plugging into a switch/router/hub that is capable of enabling sniffing. The external interface will monitor traffic before the gateway/firewall while the internal interface will plug into the network right after the firewall.

If you'd like a less complicated setup, you can settle for internal monitoring only, as external monitoring may not be needed if you've got a hardcore firewall setup. Do a risk assessment to better determine your needs regarding your snort setup.

You can do almost anything you'd like. In fact, you can do what you initially proposed...there are risks involved, though, which is why I mentioned risk assessment.

What is this for? A commercial environment or a home network? What's your goal? To learn or to secure (or both). Answering those questions can help people give you better answers.

Last edited by unixfool; 06-21-2010 at 11:27 AM.
 
Old 06-21-2010, 11:32 AM   #5
genderbender
Member
 
Registered: Jan 2005
Location: US
Distribution: Centos, Ubuntu, Solaris, Redhat
Posts: 396

Original Poster
Rep: Reputation: 31
I was reading that and suddenly it clicked and I realised exactly what you meant with the gateway stuff, in order for external traffic to be sniffed it would have to be at a high level between a pix and a webserver and thus would be a single point of failure. I reckon just running it internally would be significantly safter.

Thanks very much for your advice
 
Old 06-21-2010, 11:45 AM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
No problem! I'm glad I could help! Good luck in your endeavors as a snort admin...as frustrating as things can sometimes get with configuring snort, there the reward of accomplishment when things finally come together!
 
Old 06-21-2010, 11:46 AM   #7
genderbender
Member
 
Registered: Jan 2005
Location: US
Distribution: Centos, Ubuntu, Solaris, Redhat
Posts: 396

Original Poster
Rep: Reputation: 31
I'll probably give it a shot virtually or something so I've got some idea what I'm doing when I go live.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Perfect Setup Of Snort + Base + PostgreSQL On Ubuntu 6.06 LTS LXer Syndicated Linux News 0 04-27-2007 09:33 PM
How to setup snort IDS saini_mw Linux - Security 2 05-15-2006 08:46 AM
Snort and cable modem setup Crito Linux - Security 9 02-23-2006 07:44 PM
Snort setup turbo_acura Linux - Networking 2 11-29-2004 09:37 AM
Snort/ACID setup q TruckStuff Linux - Security 3 09-14-2004 02:20 PM


All times are GMT -5. The time now is 03:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration