How to only monitor/use as IDS Snort only?

I am basically installing Snort on my home network as a test, however I want to just use it to monitor and log alerts however not take any actions like dropping traffic like an IPS. Will Snort only monitor traffic by default or will it drop too based on rules? I am kind of a newbie so forgive my lack of knowledge. I am going to follow the manual/online tutorial for install, I was just wondering before I install it if it would like start blocking all the sites my bro went to or something

Find more posts tagged with

Comments

dynamik

Where are you placing it in regards to your network topology? You'd typically use a SPAN port off a switch or an ethernet tap (you could possibly use a hub for a soho configuration as well). Snort will simply be receiving a copy of network communications and wouldn't be able to affect traffic if it wanted to. I'd determine placement prior to diving into the rules. You'd place it inline if you wanted it to function as an IPS.

Computadora

I'll be installing it on a virtual machine using bridged networking. Will this be able to monitor network traffic on my netgear wireless n router?

dynamik

Not by itself. I suggest you start your project by reading this: http://www.sans.org/reading_room/whitepapers/detection/inexpensive-wireless-ids-kismet-openwrt_33103

L0gicB0mb508

The virtual machine probably won't work so well. You are going to want use a separate physical box. I think in order to do what you are wanting, you will need to put a hub or a switch with a spanned port in between your wireless access point and your modem/router. That should catch all traffic going in and out of your network. You want to put you main IDS at a "choke point" in the network.

Snort by default will not drop anything. It will only do monitoring and alerting. You can configure Snort to work as an IPS, but it's a little clunky. I would suggest you also use some type of front end to do your intrusion monitoring.

Computadora

I'm thinking about getting a Cisco switch so that i can utilize the SPAN port technology to capture traffic from/to all hosts on the network. Plus I can use it later for my CCNA studies. Just wondering do you know which Cisco switches/IOS version support SPAN port, preferably ones that are not too expensive?

Bl8ckr0uter

Computadora wrote: »

I'm thinking about getting a Cisco switch so that i can utilize the SPAN port technology to capture traffic from/to all hosts on the network. Plus I can use it later for my CCNA studies. Just wondering do you know which Cisco switches/IOS version support SPAN port, preferably ones that are not too expensive?

I think most if not all switches support it.

L0gicB0mb508

i think pretty much any decent Cisco switch will do the trick. If you you don't go that route you can always use a hub. It will definitely be cheaper, but since you are planning to do Cisco certifications the switch would probably be more beneficial.

docrice

An old 2950 will support it (at least one SPAN session at a time). Even the older 2900XL series will support it, although I think the command was different ("port monitoring" as opposed to the newer "monitor session").

SephStorm

I am currently reading the book Snort For Dummies, I really like it, goes into installation, setup and so on and so forth, Once I actually start using my lab, I'll be doing the same thing

Paul Boz

If you want to get the most value out of snort you should set up some user interfaces so you can get reporting and graphs. Look into EasyIDS, acid/base, and or OSSIM. You can configure Snort to act as an IPS relatively easily by interfacing it with IPTables, the built in Linux/Unix firewall. My suggestion would be to get a 10/100 hub, put it on your cable modem, configure an OSSIM or EasyIDS box with a passive NIC, plug it into the hub, and monitor all of your WAN traffic. I would then set up a second NIC for monitoring your internal subnet. If you’re fancy and have a DMZ at home you may want to drop a third nic for monitoring that segment. Lastly, you want to make sure you have an internal NIC for management only. You can do all of this in a VM but its ugly, doesn’t work as well, and will cause headaches. I would advise buying a mini-atx case and board, a multi-port NIC (or two) and 4gb ram. A 100gb hard disk is sufficient. You want to get good NICs because these will be the biggest weakness point. A Pentium IV with 4gb ram will monitor / pass several hundred megs per second. I built a PFsense box with IPS/IDS capabilities with the above system specs for $200 and it could pass up to 650mbps doing DPI before it started dropping. I could bond four cable modems and it flew perfectly fine. You should also look into buying a copy of “The Tao of Network Security Monitoring: Beyond Intrusion Detection” by Richard Bejtlich. It will give you several other options regarding open-source IPS/IDS deployments.

I did a (poorly written) writeup of how to get EasyIDS set up somewhere on this site a while back. Search for “EasyIDS” and you should find it. If you can boot a Linux CD you can install it and get a IDS running. Please update this thread or drop me a PM if you need further help. Props to you for wanting to explore Snort. Every higher-end SANS course which I’ve taken has heavily stressed Snort as a strong operational requirement because of the incredible amount of valuable data you can extract. I would also get cozy with TCPDump, as that’s the general de-facto packet analysis tool used with Snort.

Here's a quick and dirty topology diagram I put together for you:

dynamik

He's going to need something like Kismet if he wants to actually monitor wireless traffic. SPANs/hubs/taps/etc. aren't going to see unauthenticated/unassociated wireless traffic, and even the traffic you get won't give you any insight into the actual wireless communications since the frames will be 802.3 at that point, not 802.11. Additionally, SPAN ports operate at layer-2, and will not provide as much information as capturing traffic at the physical layer with a hub or a tap, or RF in the case of wireless. This is especially important in regards to wireless networks.

SephStorm

Paul,

That IDS box, if I understand this right is it a linux box with three Nic's running IPTables, EasyIDS, and Snort?

And that management box is confusing me, can you explain its use?

L0gicB0mb508

dynamik wrote: »

He's going to need something like Kismet if he wants to actually monitor wireless traffic. SPANs/hubs/taps/etc. aren't going to see unauthenticated/unassociated wireless traffic, and even the traffic you get won't give you any insight into the actual wireless communications since the frames will be 802.3 at that point, not 802.11. Additionally, SPAN ports operate at layer-2, and will not provide as much information as capturing traffic at the physical layer with a hub or a tap, or RF in the case of wireless. This is especially important in regards to wireless networks.

I think he just wants to monitor traffic from the network. He isn't specifically looking for wireless traffic. If he placed the the switch or hub between the wireless router and the modem he would effectively catch all inbound and outbound traffic. But I agree if he is looking to monitor the WiFi specifically he is going to need to use something else.

I've used a span port switch (HP and Cisco) with good results with Snort. It will still allow you to see payloads and give you all the information you should need to do analysis.

Being that this a stand alone sensor on a small network, he could likely install the front end (database, web server, and front end) on the actual sensor itself. I really doubt hes going to tax the box that much. it's not the best practice, but it will work very well.

I suggest you look into BASE or SGUIL for your front end. I usually stick with BASE, but there are other options out there.

Paul Boz

SephStorm wrote: »

Paul,

That IDS box, if I understand this right is it a linux box with three Nic's running IPTables, EasyIDS, and Snort?

And that management box is confusing me, can you explain its use?

EasyIDS is an appliance-based .iso that runs Linux, Snort, and some front-end GUI software. It also runs a web server. OSSIM is the same. The management computer is the computer you manage the IDS with. This would traditionally be your workstation. You manage the IDS by using the web interface. The purpose of the illustration is to show you that you want a NIC for management only, that is out of band.