Hello fellas...

Info of my network structure

- Linux Server --- Snort runs on this machine --- :

Which is the router of the network within my apartment. It is natting the internet connection to the clients, serving Dhcp, has an iptables configured firewall (has two eth´s of course. The home network NIC (eth1) and the outside (internet) NIC (eth0)).

- Client 1 (Windows 98)

- Client 2 (Windows XP)

Ok! Here is the concern: What would be the correct way to make snort analyze portscans, dos attacks, overflow attacks to my Linux server coming from the outside network?

My snort HOME_NET variable stands for an IP inside my network (i.e: 192.168.0.0/24). Is this right? Isn´t snort, then, analyzing attacks, portscans and exploits that happen from my very own network towards my very own network? For example DOS attacks from machine 192.168.0.45 towards machine 192.168.0.197 (assuming these are valid IP´s within the network)?

Sorry about the loooooooooong question.
Thank you very much!

1. By NATing are you including firewall functions on the same box with snort? I am hoping you aren't because it's not wise.

2. If you put a tap outside the firewall, it will be much busier analyzing traffic so be sure you have the resources to capture a meaningful amount of packets.

3. To listen outside the firewall, you need a simple switch outside the firewall and a second ethernet port inside the snort box. CAREFULLY follow ethernet tap making instructions to listen only and connect the tap to the second ethernet adapter and the switch.

Watching inside-only traffic is not a bad thing.

Nice but...

Let´s suppose I´m using a switch -- and the IDS machine will be a totally diffrent machine (I understood why it´s not good for the router/firewall machine to be the IDS machine too) --. Switches will map the ports. So a packet with destination to IP xxx.xxx.xxx.xxx will only be sent to the port where xxx.xxx.xxx.xxx is connected to. Right? So the IDS machine (even setting eth0 or 1 or 2 etc to promiscuous mode) will only receive connections destined to it´s IP.

Another concern is that the IDS has two cards. One to be connected with the internal network and another to the hub, which will be splitting the raw connection coming from the internet... Before the router/firewall right? So Ok. Let´s say interface 1 has an IP inside the network. But what about the second card. Which IP will it have? It has to have an IP doesn´t it?

Let´s talk ADSL. I have an IP assigned to my router/firewall via DHCP but when I plug the router and IDS cables to the hub the ISP will have to assign two IP´s via DHCP won´t it?

And what about security. What kind of security does the IDS (tottaly separate) machine has. How do we secure it?

Thanks you very much! :-)

If you don't want to take the time to learn from the immense amount of information widely available on setting up snort then I'm not sure why you even started the thread.

Of course, if you'd like to pay me to do the setup for you, then contact me directly.

Sorry to bother and thanks anyway. :-)

//Moderator note: LQ is a community provided to free of charge. Please do not try take advantage of that fishing for jobs. It is respectless towards LQ's owner and your fellow LQ members alike.