LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-14-2004, 10:28 AM   #1
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Snort/ACID setup q


I'm going to be installing snort and ACID on one of our servers to monitor our network. This server already has some services (email, apache) running on it, so I'd like some advice on how to set everything up.

I've been doing some reading and everyone seems to agree that the best way to setup snort is listening in promiscuous mode on its own interface via a "one-way" network cable. To this end, I've installed a second NIC in this server and bound all existing services to listen on eth0.

I assume Google will help me with creating a one-way network cable for eth1? This probably seems silly, but my biggest question is which way?? Does eht1 need to send only or recieve only?

Also, I've seen some talk about snort sensors running on other boxes on the network. If I run eht1 on this box in promiscuous mode, do I need to worry about snort sensors if everything is on the same network? TAI.
 
Old 09-14-2004, 10:33 AM   #2
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Original Poster
Rep: Reputation: 30
Something else I forgot to mention is that we are running a switched network, not hubs. Current topology:
Code:
                                   /---------> IDS Box
                                  /
                                 /
Internet --> Router 1 ---> Switch---> Router 2 ----> Corporate PCs
                                 \
                                  \ 
                                   \---------> Other Servers
Should I drop a hub in between Router 1 and the switch and plug eht1 on the IDS box into the hub?

Last edited by TruckStuff; 09-14-2004 at 10:38 AM.
 
Old 09-14-2004, 10:45 AM   #3
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 10,380

Rep: Reputation: 2620Reputation: 2620Reputation: 2620Reputation: 2620Reputation: 2620Reputation: 2620Reputation: 2620Reputation: 2620Reputation: 2620Reputation: 2620Reputation: 2620
A network tap would be the ideal solution. Enabling SPAN (or whatever your swicth calls it) if your switch supports it would also work.

--jeremy
 
Old 09-14-2004, 01:20 PM   #4
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Original Poster
Rep: Reputation: 30
Hmmm... after googling for a while on how to make read-only cat5s, I haven't come up with an "easy" solution. I'm hoping there is a way to make one without adding capacitors, soldering, or other unsightly messes. Anyone got a good howto?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SNORT and ACID help!! HopelessLinuxNewbie Fedora 1 08-23-2005 12:12 PM
Snort, MySQL and ACID Dr. Psy Slackware 11 06-01-2005 06:18 PM
mysql snort acid HELP wylie1001 Linux - Software 0 01-01-2005 06:51 PM
Snort/ACID as an IDS WeNdeL Linux - Security 4 09-10-2004 12:14 PM
Snort: ACID, not logging. securityguru Linux - Security 1 07-25-2003 08:36 AM


All times are GMT -5. The time now is 08:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration