Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Neil Dickey (neilgeol.niu.edu)
Date: Fri Mar 30 2001 - 10:32:06 CST
I'm a relatively new user of Snort too, but here's my thought on your
>1. How do I best use snort as an IDS.. basically I want it to monitor
>the same stuff as portsentry did.. attacks on ports.
The standard rulesets are the best way to start. As you become familiar
with the sorts of traffic your network receives, and comfortable with
writing your own rules, you will customize it to suit your own needs.
It's a little nervous at first, but that passes. The new, modularized,
ruleset format makes this, and updates, easy.
Any IDS is best coupled, in my opinion, with a strong packet filter, as
for instance IPFilter. The IDS tells you what's coming in, and the filter
lets you stop it if you wish. Keep in mind, though, that Snort can be
memory-hungry, so don't run it on a machine which is short on resources.
>2. To achieve the above would I have to leave eth0 in promiscuous
>mode? My box is on a LAN of different servers run by different
>people. Being in promisc mode would not be liked by other people on
>the network because they might think I was sniffing on them.. trying
>to get their passwords or read mail going to them, etc.
An IDS *is* a packet-sniffer, but it sniffs according to rules and not
indiscriminantly. This means that to use it your interface has to be
in promiscuous mode in order for it to work -- *IF* you are trying to
protect more than one box with your copy of Snort. If you are only
worried about the box that Snort is running on, then I think you can
get away without promiscuous mode.
If you are watching over a small network, and that network is properly
sub-netted, then you can set Snort up so that it is only capturing
packets relevant to you. If not, then you're going to be looking out
for everybody. If you think they'll know you're running Snort and be
worried about it, perhaps you can bring them in from the beginning
so that they can see what you're up to. If the thing is well-handled,
instead of worrying about you they may come to depend on you.
If anyone can improve my opinions, I'd be glad to read what they have
>Thanks in advance for any help you can give me with the above
You're most welcome.
Neil Dickey, Ph.D.
Northern Illinois University
Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive: