I'm implementing Snort in our office and am not sure what the ideal (or even acceptable) cabling set-up is. I have two ethernet cards installed and can ping both static IPs from another computer. However, the Snort box's two NICs are not plugged into their own network switch ports; rather, there is one cable from the switch leading to a hub, and the Snort box's NICs are plugged into it. Is that ok? Will it still do its job even if it's not directly plugged into the switch? FYI, this is on RedHat 9. Thanks in advance.

The hub shouldn't be a problem, since all traffic goes to each port on the hub. I have found that the best place to set up a Snort box is on a switch port that has monitoring enabled. Some switches have special ports for this. Essentially, all traffic crossing the switch is also routed to that port. That gives Snort its best chance to catch improper/dangerous network traffic. It is also nice to have Snort running on a proxy/gateway server.

Pcghost, thanks for the quick reply. Just so we're clear, the Snort box is the only computer plugged into the 4-port hub. It's the hub that's then plugged into the 24-port switch.

Yeah, I know it's a good idea to run it at/as the gateway too. Might try that one next! But for now, just trying it out internally.

Sadly, our switches are dumb (unmanaged) and don't have that monitoring capability. But thanks for the info!

Anything else on this specific topic I should be aware of?

You are not going to see much/any traffic this way. The switch will not flood all the ports (unless the cam tables are not populated, then it will flood the ports once, and then when it discovers where each MAC is plugged in, it will then not flood the ports anymore). It will make a decision based on destination MAC address and send it to the proper port (which should never be your snort box). Also, you don't want to have an IP address on the monitoring interface. That could possibly let an attacker know you are running IDS, and then they can run tcpdump to see what traffic it is flagging on, and work around that.
What you need to do in this situation is get yourself an ethernet tap and plug your snort box monitoring interface into the tap.
If you have the resources, I would suggest getting the lates Snort book.

---edit---
I don't know your network setup, but if it is something like
router
|
|
switch
|\
| \
hub/clients, you could switch the location of the switch and hub, then you would see what is coming in, but still wouldn't see what is going on in the switch environment, this way you wouldn't have to buy any additional hardware

Wow. Ok, well, I've been working off a Snort 2.0 book (I know it's not that latest book) and I guess just haven't come to that section yet. Yes, you basically got the network layout right: router --> firewall --> switch --> clients (and hub). So you're saying that even if I plugged the Snort box's NICs directly into two of the switch ports, I wouldn't be able to see much? That sucks. I know the book's instructions mainly cover set-ups like 'Router --> IDS --> Firewall (or even straight to LAN)', but surely they've accounted for set-ups like I want (just sitting inside the LAN)!? Or is that the tap described?

Swap the switch and hub? Can't/won't do that for a number of reasons...

"you don't want to have an IP address on the monitoring interface."

I assume you mean a static IP address?

Given what I want to do (monitor LAN traffic only), should I just abandon Snort and use Ethereal or an equivalent?

Snort inspects/reads everypacket just like ethereal does, you will not see anything in ethereal that you will not see in snort. The problem is that you have a switch without a span/monitor port. You will need to either use a hub instead of a switch, or get a switch with a span port. That is how you watch traffic inside the LAN.

The tap is basically a three way device that allows you to tap into an ethernet cable.

ex:
router/firewall
|
|____ Snort Monitoring box plugged into tap to watch what is coming into your network.
|
|
Switch/DMZ/whatever


As far as I said earlier, you have two interfaces on your snort box. The one in promiscous mode doesn't have an IP address. A lot of people actually cut the transmit wires right out of the ethernet cable. The one you will use to connect to it to look at reporting will have an IP address.

ok, so then just for my own information, if this snort box were located between a router and firewall for use as an IDS for external attacks, a tap or being plugged into a spanning/monitoring port wouldnt be necessary? funny, i've been considering getting a managed switch for other reasons anyway...

on your second point about having no IP address, very interesting. i've never heard of that before (having NO address at all). how does that work? i mean, how do you just not have an IP address at all (since the network config forces you to pick either static or DHCP)? forgive my ignorance. and does that apply in all Snort cases, or just in my desired set-up?

It all comes down to what you want to monitor. If you want to monitor for external attacks, a tap would be a way to go (as I described earlier). If you want to watch what your users are doing, you will defenitely need a switch with a span port, or use a hub.

As far as no IP address, think of it like this. If you are eavesdropping on someones conversation, you don't want to open your mouth and let them know you are there. The same concept applies for IDS. You are listening (card in promiscous mode) to all the traffic. You don't want to let an attacker know you are doing so. This isn't required, but is an option of how to utilize IDS. I could be wrong, but I think ifconfig ethx down and ifconfig ethx promisc would do this for you.

Read this for some good information.

thanks a ton for the IP info!

like i said before, maybe i just havent gotten there in the book, but they sure dont say anything about using a tap! or using scanning/monitoring switches, for that matter. they make it sound (or appear in the diagrams) that you just plug both NICs into the switch (one set to promiscuous mode) and it'd just pick up all the network traffic you set it to look for once enabled/activated. i guess thats too simple...

oh yeah, if we got managed switches, would i just have to plug in one NIC into a scanning-enabled port? or do i still have to use two ports into the switch?

You would plug the interface that is in promiscous mode into the span port, and then you would plug the other interface wherever, just so it is accessible via the LAN to pull reports from.

thanks - ok one last thing. it's not about snort specifically, but sniffing in general: thru TightVNC on my XP box, i did a 5-second packet capture in Ethereal from the same Snort box from earlier. reading the output, there was all this data that only included my XP box's IP and the Snort box's IP addresses as source/destination. what happened there? what was i really seeing? since i cant read/interpret output yet, i can only guess it was reading the VNC and ssh data flowing (of which there was none during the capture) between the 2 computers? just not sure - again, ignorance. fyi, the 2 computers arent even connected to the same switch in our network, but are on the same subnet.

so at home, unless i have a managed switch, are you saying i can't use snort? in terms of monitoring just the LAN, i mean. NOT the incoming Internet connection...

You can use it if everything on your home LAN is plugged into a hub. If everything is plugged into a switch and you don't have a span port, then no, it won't work effectively.

ok, so back to the office LAN: what if we have multiple switches? does only one switch have to have a span port into which the snort box's promisc NIC is connected and can still listen to all traffic, whether it's on that switch or another? (sub-question: the other switches dont need to be managed and/or have a span port, right?) or would i have to put a different snort box on each switch? again, it's all one subnet, FWIW.

so....letme get this straight...

you want to run snort on your internal network to catch....what exactly? your users, um, using their computers?

Also, why do you have two NICs plugged into the same network? what exactly is that doing? are you doing that so you can uh, monitor the same traffic twice to like, uh check for hardware problems with umm your NICs or something? Like, I don't get it, and stuff.

if you have a switched network, the switches will only send traffic to its destination (sort version). Unless someone on your closed, private, corporate, controlled network attacks your squid box, you are never going to log anything (but if they they, you'll be able to see the traffic twice...)

The idea behind running an IDS is to catch attacks. So, you want to place your IDS where it is most likely to see attacks....which, for the record, is not at the end of a segment all by itself. you want to place the IDS between your network and wherever it is you think attacks will be coming from (hence why there are two NICs).

with multiple switches, unless the switches where forwarding all the traffic to themselves then to your snort box, you'd need to monitor every port.

to be brutally honest, I think you've skipped over some required reading material. W. R. Steven's TCP/IP Illistrated or like, I think cisco makes some books too.

since I don't know if / how your network interfaces with any other network, and it sounds like all you are trying to do is monitor the computers on your own network, which somewhat baffles me, the easiest thing to do would get a bunch of cisco gear and put each system on its own vlan then switch them all though the snort box with a vlan card in it. that won't work well if you have a large network, but I'm willing to bet that isn't the case...


so like, uh, why don't you just put the snort box inline between the firewall (if you have one...else the big scarry network that you're afraid attacks will come from) and t3h rest of your networkx0r ... you don't even need to assign it IPs, just forward from eth0 to eth1 and backwards...


remember logs are pointless if you don't read and act upon them.