OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Neil Dickey (neilgeol.niu.edu)
Date: Fri Mar 30 2001 - 10:32:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Dear Fiona,

    I'm a relatively new user of Snort too, but here's my thought on your
    questions:

    >1. How do I best use snort as an IDS.. basically I want it to monitor
    >the same stuff as portsentry did.. attacks on ports.

    The standard rulesets are the best way to start. As you become familiar
    with the sorts of traffic your network receives, and comfortable with
    writing your own rules, you will customize it to suit your own needs.
    It's a little nervous at first, but that passes. The new, modularized,
    ruleset format makes this, and updates, easy.

    Any IDS is best coupled, in my opinion, with a strong packet filter, as
    for instance IPFilter. The IDS tells you what's coming in, and the filter
    lets you stop it if you wish. Keep in mind, though, that Snort can be
    memory-hungry, so don't run it on a machine which is short on resources.

    >2. To achieve the above would I have to leave eth0 in promiscuous
    >mode? My box is on a LAN of different servers run by different
    >people. Being in promisc mode would not be liked by other people on
    >the network because they might think I was sniffing on them.. trying
    >to get their passwords or read mail going to them, etc.

    An IDS *is* a packet-sniffer, but it sniffs according to rules and not
    indiscriminantly. This means that to use it your interface has to be
    in promiscuous mode in order for it to work -- *IF* you are trying to
    protect more than one box with your copy of Snort. If you are only
    worried about the box that Snort is running on, then I think you can
    get away without promiscuous mode.

    If you are watching over a small network, and that network is properly
    sub-netted, then you can set Snort up so that it is only capturing
    packets relevant to you. If not, then you're going to be looking out
    for everybody. If you think they'll know you're running Snort and be
    worried about it, perhaps you can bring them in from the beginning
    so that they can see what you're up to. If the thing is well-handled,
    instead of worrying about you they may come to depend on you.

    If anyone can improve my opinions, I'd be glad to read what they have
    written.

    >Thanks in advance for any help you can give me with the above
    >questions.

    You're most welcome.

    Best regards,

    Neil Dickey, Ph.D.
    Research Associate/Sysop
    Geology Department
    Northern Illinois University
    DeKalb, Illinois
    60115

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users