OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matt Kettler (mkettler_at_evi-inc.com)
Date: Wed Jan 22 2003 - 13:53:25 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    First, I'm moving this over to snort-users.. which is where it belongs.
    snort-sigs is for signature development related issues.

    Second, sure, you can run snort on any pc at any point in your network. It
    all depends on what you want snort to monitor. The most common deployment
    monitors a whole network, thus snort is commonly installed at the gateway,
    but there's no reason it can't monitor a point inside the network.

    Snort should see all the traffic present on the FTP server's nic, but
    because your DSL router's 3 ethernet ports are likely a switch, it will not
    be able to monitor attacks against any other machine in the network.

    Also since the FTP server is NAT'ed by a typical DSL/cable router box, I
    highly doubt it will be probed on any ports other than ones which your
    router is manualy configured to forward to the FTP server. It's impossible
    for anyone outside to specifically address your FTP server, thus it should
    be impossible for me to probe a random subset of ports on your FTP box from
    the outside.

    There is one major drawback of running it on the same machine, if the FTP
    server gets hacked, the attacker, if smart, can now blank your snort logs.

    At 06:24 PM 1/17/2003 +0100, Walter Pouwels wrote:
    >Hi to all.
    >
    >I wonder if it is any use putting snort on a pc (win2k server) which is
    >used as an FTP server ?
    >
    >When reading through Snort doc's and such all I seem to read is snort
    >being used on the actual router/gateway station, listening on the external
    >interface. What I want to do is monitor any logon attempts at the ftp
    >server for users without login/pw but also if the machine get's probed on
    >any other ports.
    >
    >The network topology is as follows:
    >
    >E-tech router
    >1x WAN ------ ADSL 1536 Kbps/256Kbps
    >4x LAN 10/100 Mbit
    >
    >In the 4 LAN connections there are:
    >
    >pc-1 end-user system IP 192.168.4.1
    >pc-2 end-user system IP 192.168.4.2
    >pc-3 FTP server IP 192.168.4.3
    >
    >So is this possible to install snort on a machine with only 1 NIC and have
    >it listen to the traffic on that NIC or should I place another pc between
    >the FTP server and the router LAN port
    >(giving: ftp-server ---- SNORT PC ----- router ---- ADSL)?
    >
    >Thanks in advance.
    >
    >Walter

    -------------------------------------------------------
    This SF.net email is sponsored by: Scholarships for Techies!
    Can't afford IT training? All 2003 ictp students receive scholarships.
    Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
    www.ictp.com/training/sourceforge.asp
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users