Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Snort IDS (Intrusion detection system) wiring
New Posts  All Forums:Forum Nav:

Snort IDS (Intrusion detection system) wiring

post #1 of 25
7/29/12 at 11:07am
Thread Starter 
Setting up and IDS (intrusion detection system) on ubuntu. Snort's documentation states to hook it up between the firewall and router with a switch. I'm wondering if a network tap would work just as well without wasting a switch. Thoughts?
Reply
Reply
post #2 of 25
7/30/12 at 12:18am
Yup it would work fine smile.gif pretty much the same ^_^
Supercomputer ^_^
(13 items)
  		  
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
View all
  hide details  
Reply
Supercomputer ^_^
(13 items)
  		  
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
View all
  hide details  
Reply
post #3 of 25
7/30/12 at 12:13pm
Thread Starter 
Quote:
Originally Posted by Ulquiorra View Post

Yup it would work fine smile.gif pretty much the same ^_^

Heres how I normally wire a passive network tap.


I have a regular rj45 NIC and a USB one and I can see everything going both ways while not creating any presence on the network. How would I set this up with Snort as I'd need it to monitor two NICS?
Reply
Reply
post #4 of 25
7/30/12 at 2:12pm
When you say you need it to monitor 2 nics, are you putting it as a tap interface (a device stiing in promiscus mode with one nic) or as inbetween 2 things?

I thought you mean the first but the second post made me think you were taking about the second (sorry its my fault ^_^)

As for the setup it should be the same as it would just look at info teravering the bridge (i think) but i will check at work tommorow to look at our internal documentation thumb.gif
Supercomputer ^_^
(13 items)
  		  
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
View all
  hide details  
Reply
Supercomputer ^_^
(13 items)
  		  
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
View all
  hide details  
Reply
post #5 of 25
7/30/12 at 2:39pm
Thread Starter 
Quote:
Originally Posted by Ulquiorra View Post

When you say you need it to monitor 2 nics, are you putting it as a tap interface (a device stiing in promiscus mode with one nic) or as inbetween 2 things?
I thought you mean the first but the second post made me think you were taking about the second (sorry its my fault ^_^)
As for the setup it should be the same as it would just look at info teravering the bridge (i think) but i will check at work tommorow to look at our internal documentation thumb.gif

Maybe I'm going about it the wrong way then. I was planning on putting a tap in between my PIX 501 and switch for Snort rig to sniff the packets.
Reply
Reply
post #6 of 25
7/30/12 at 2:45pm
They way your descirbing it i think tis just the standard way

Internet -> snort -> lan

Snort acts a bridge which just passes traffic though smile.gif
Supercomputer ^_^
(13 items)
  		  
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
View all
  hide details  
Reply
Supercomputer ^_^
(13 items)
  		  
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
View all
  hide details  
Reply
post #7 of 25
7/30/12 at 6:32pm
Thread Starter 
Quote:
Originally Posted by Ulquiorra View Post

They way your descirbing it i think tis just the standard way
Internet -> snort -> lan
Snort acts a bridge which just passes traffic though smile.gif

Yeah It has to pass data100% untouched though, I have my setup

phoneline-->Modem--->PIX-501

I have the modem in a complete pass-through mode letting my PIX501 do PPPOE authentication. My concern is changing the setup when the snort rig is actually physically in-between the modem and PIX would be a good idea and it might mess up the PPPOE pass-through.
Reply
Reply
post #8 of 25
7/31/12 at 3:05am
Hmm had a quick look and it should work, you justforward everything accrossm, you could do a test by prepering the box and dropping it in xD
Supercomputer ^_^
(13 items)
  		  
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
View all
  hide details  
Reply
Supercomputer ^_^
(13 items)
  		  
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
View all
  hide details  
Reply
post #9 of 25
8/2/12 at 12:23am
You can use a cheap hub.
Super Trooper
(12 items)
 
ESXi Whitebox
(10 items)
  		 
CPUMotherboardGraphicsRAM
i7 - 3930K Asus Rampage IV Formula MSI GTX 680 Lightning G.Skill RipjawZ 
Hard DriveOSMonitorKeyboard
Crucial M4 Windows 7 Professional 2x ASUS 27" LCD Razer Black Widow Ultimate 
PowerCaseMouseAudio
Corsair HX850 Cooler Master Storm Trooper Cooler Master Storm Recon Logitech G35 
View all
CPUMotherboardRAMHard Drive
Xeon 1245 v2 GIGABYTE GA-H77N-WIFI Patriot Viper 3 16GB PV316G160C0K Seagate Barracude 7200RPM 
Hard DriveHard DriveCoolingOS
Seagate Barracuda 7200RPM Samsung 840 SSD Stock ESXi 5.1 
PowerCase
PC Power and Cooling Silencer MK III 400W Fractal Designs Node 304 
View all
  hide details  
Reply
Super Trooper
(12 items)
 
ESXi Whitebox
(10 items)
  		 
CPUMotherboardGraphicsRAM
i7 - 3930K Asus Rampage IV Formula MSI GTX 680 Lightning G.Skill RipjawZ 
Hard DriveOSMonitorKeyboard
Crucial M4 Windows 7 Professional 2x ASUS 27" LCD Razer Black Widow Ultimate 
PowerCaseMouseAudio
Corsair HX850 Cooler Master Storm Trooper Cooler Master Storm Recon Logitech G35 
View all
CPUMotherboardRAMHard Drive
Xeon 1245 v2 GIGABYTE GA-H77N-WIFI Patriot Viper 3 16GB PV316G160C0K Seagate Barracude 7200RPM 
Hard DriveHard DriveCoolingOS
Seagate Barracuda 7200RPM Samsung 840 SSD Stock ESXi 5.1 
PowerCase
PC Power and Cooling Silencer MK III 400W Fractal Designs Node 304 
View all
  hide details  
Reply
post #10 of 25
8/2/12 at 1:52am
It would but you would have to crimp a cable so the box would be able to Rx but not Tx as you dont want people to know snort is there smile.gif
Supercomputer ^_^
(13 items)
  		  
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
View all
  hide details  
Reply
Supercomputer ^_^
(13 items)
  		  
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
View all
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Snort IDS (Intrusion detection system) wiring