[Snort-users] Centralized DB Server??

Chapman, Justin T JtChapma at ...2279...
Tue Jun 19 12:06:17 EDT 2001


I'm not sure if originally got through to the list, so I'm resending.  :-)
 
Sorry for not replying to these earlier, been a bit swamped lately... 
 
I guess what we're doing needs a little clarification.  First, cutting the
tx pair (the orange wires) will not work with many modern hubs/NICs because
they send keep-alive pulses down the wire periodically.  If the keep-alives
fail, many newer hubs will disconnect the port, and you're out of luck.  If
you have older equipment, this shouldn't be a problem, but for many of us it
still is.  With newer equipment, there is a workaround though.  I'll explain
our setup here.  In the snort machine, the external (sniffing) interface is
a 3com 509 combo card.  Attached to the AUI interface, is a modified AUI-UTP
media converter.  We pulled out pins 3 and 10 (the tx pins) from the AUI end
of the converter and then ran a regular UTP cable to the hub.  This
satisfies the hub, because it is still able to send it's keep alives to the
media converter, and satisfies us because the NIC is not able to transmit
any data.
 
You can check out
<http://packetstorm.securify.com/sniffers/sniffing-faq.htm>
http://packetstorm.securify.com/sniffers/sniffing-faq.htm  section 3.6 for a
good explanation of what I just tried to describe.
 
I hope this helps!
 
--Justin-----Original Message-----
From: Barry Darnton [mailto:BarryD at ...2332...]
Sent: Monday, June 18, 2001 1:32 AM
To: 'Chapman, Justin T'
Subject: RE: [Snort-users] Centralized DB Server??



I'm curious, how do you get any data without the link up. I though this was
a great idea but I cant get any data without the link, but I cant get a link
with all 4 wires connected.??

Barry 


-----Original Message----- 
From: Chapman, Justin T [ mailto:JtChapma at ...2279...
<mailto:JtChapma at ...2279...> ] 
Sent: Friday, 15 June 2001 1:25 
To: Marc Thompson; 'Andreas Lindenblatt'; 'Kris Quinby' 
Cc: snort-users at lists.sourceforge.net 
Subject: RE: [Snort-users] Centralized DB Server?? 


My department has recently been brainstorming this same issue & we came up 
with what I think is an interesting solution.  Our topology is pretty 
simple, we have a perimeter network and a "trusted" DMZ.  We, too didn't 
like the idea of having MySQL traffic passing through the perimeter network.

So, our idea was to have a dual-homed machine with one leg outside and one 
leg inside... with one catch.  The cable on the external interface (the one 
that snort is listening on) has the transmit pairs cut.  It's physically 
impossible for that interface to transmit any data.  It can listen all day 
long, it just won't respond to *anything*.  This makes the computer 
completely invisible to the outside world and all attempts to map it, ping 
it or otherwise communicate with it fail.  We're still able to log to our 
MySQL database on the inside via the DMZ connection, too.  


--Justin 

> -----Original Message----- 
> From: Marc Thompson [ mailto:Marc.Thompson at ...2101...
<mailto:Marc.Thompson at ...2101...> ] 
> Sent: Tuesday, June 12, 2001 5:58 PM 
> To: 'Andreas Lindenblatt'; 'Kris Quinby' 
> Cc: snort-users at lists.sourceforge.net 
> Subject: RE: [Snort-users] Centralized DB Server?? 
> 
> 
> Andreas, 
> 
> >But I would feel uhm... uncomforatable with an open MySQL-Port to a 
> >machine sitting inside our network and collecting lots of 'foreign', 
> >unchecked and unencrypted sensor data. 
> 
> What about an IDS box that has two network interfaces:  One non-IP 
> Ethernet adapter on the DMZ and one IP-assigned Ethernet Adapter 
> on the local net.  
> 
> I forgot to mention that I am assuming that I am *not* transferring 
> alerts across the Internet.  The sites have redundant VPN 
> connectivity, 
> to the sites are also connected via leased-lines on a private net. 
> 
> Does this mitigate the risk or am I misunderstanding your point? 
> 
> Thanks, 
> Marc 
> 
> ******************************************* 
> Marc Thompson 
> IT Site Manager 
> BOPS, Inc. 
> 7800 Shoal Creek Blvd. Suite 200N 
> Austin, TX 78757 
> 
> 
> -----Original Message----- 
> From: Andreas Lindenblatt [ mailto:azrael at ...70...
<mailto:azrael at ...70...> ] 
> Sent: Tuesday, June 12, 2001 6:20 PM 
> To: Marc Thompson; 'Kris Quinby' 
> Cc: snort-users at lists.sourceforge.net 
> Subject: Re: [Snort-users] Centralized DB Server?? 
> 
> 
> Hi Marc, 
> 
> > geographical locations.  I've been brainstorming this a 
> bit, and it seems 
> > that I should be able to easily ignore alerts that are 
> being generated by 
> > traffic to the MySQL TCP port.  Does this sound like the answer? 
> It surely is an answer to your initial question :). 
> 
> But I would feel uhm... uncomforatable with an open MySQL-Port to a 
> machine sitting inside our network and collecting lots of 'foreign', 
> unchecked and unencrypted sensor data. 
> 
> Even if it means we don't get 'real-time' data, we fell back 
> to packing 
> and scrambling logs at the snort-boxes and fetching them with scp. 
> 
> Hmmm... what happened to SnortNet? It looked good with snort 1.6 :) 
> 
> -- 
> ---- 
> BYE Andreas 
> 
> _______________________________________________ 
> Snort-users mailing list 
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe: 
> http://lists.sourceforge.net/lists/listinfo/snort-users
<http://lists.sourceforge.net/lists/listinfo/snort-users>  
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>  
> 

_______________________________________________ 
Snort-users mailing list 
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe: 
http://lists.sourceforge.net/lists/listinfo/snort-users
<http://lists.sourceforge.net/lists/listinfo/snort-users>  
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010619/cc7b4fc9/attachment.html>


More information about the Snort-users mailing list