LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-10-2004, 11:41 AM   #1
WeNdeL
Member
 
Registered: Oct 2002
Location: At my desk...
Distribution: RedHat, Fedora, Ubuntu
Posts: 344

Rep: Reputation: 30
Snort/ACID as an IDS


I was wondering something. I am looking at deploying Snort/ACID on a few servers I have exposed to the WAN. Is it considered insecure to leave an interface that is connected to the WAN in promiscuous mode?
 
Old 09-10-2004, 11:49 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Not in of itself, but you are adding another piece of software that can (and has been) vulnerable to remote exploitation. An ideal way to run Snort is on a dedicated machine that is connected by an "ethertap" which is basically a one way ethernet cable (see snort docs for a howto). That way you're significantly reducing the likelihood of the IDS getting compromised.
 
Old 09-10-2004, 11:52 AM   #3
WeNdeL
Member
 
Registered: Oct 2002
Location: At my desk...
Distribution: RedHat, Fedora, Ubuntu
Posts: 344

Original Poster
Rep: Reputation: 30
Yeah, I was hoping that I wouldn't have to install Apache, ACID, Snort, MySQL, etc. on every machine I want to monitor. This just seems like an overhead nightmare alongside the added security risks.

Thanks man, I will dig a little deeper.
 
Old 09-10-2004, 12:05 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You can actually install a bunch of Snort sensors that then send logs to a central analysis console that has /ACID/mySQL/Apache on it. Those apps really just make reviewing your logs more convienient. That may sound trivial, but on a fairly substantial network, Snort logs can can get really big in a short amount of time. Installing Snort on every machine is probably overkill. Putting it on a few well select machines that can observe all network traffic is probably a better solution.
 
Old 09-10-2004, 12:14 PM   #5
WeNdeL
Member
 
Registered: Oct 2002
Location: At my desk...
Distribution: RedHat, Fedora, Ubuntu
Posts: 344

Original Poster
Rep: Reputation: 30
"Snort sensors"

Cool...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SNORT and ACID help!! HopelessLinuxNewbie Fedora 1 08-23-2005 12:12 PM
Snort, MySQL and ACID Dr. Psy Slackware 11 06-01-2005 06:18 PM
mysql snort acid HELP wylie1001 Linux - Software 0 01-01-2005 06:51 PM
Snort/ACID setup q TruckStuff Linux - Security 3 09-14-2004 01:20 PM
Snort: ACID, not logging. securityguru Linux - Security 1 07-25-2003 08:36 AM


All times are GMT -5. The time now is 12:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration