[Snort-users] new to snort

Neil Dickey neil at ...1633...
Fri Mar 30 11:32:06 EST 2001


Dear Fiona,

I'm a relatively new user of Snort too, but here's my thought on your
questions:

>1. How do I best use snort as an IDS.. basically I want it to monitor 
>the same stuff as portsentry did.. attacks on ports.

The standard rulesets are the best way to start.  As you become familiar
with the sorts of traffic your network receives, and comfortable with
writing your own rules, you will customize it to suit your own needs.
It's a little nervous at first, but that passes.  The new, modularized,
ruleset format makes this, and updates, easy.

Any IDS is best coupled, in my opinion, with a strong packet filter, as
for instance IPFilter.  The IDS tells you what's coming in, and the filter
lets you stop it if you wish.  Keep in mind, though, that Snort can be
memory-hungry, so don't run it on a machine which is short on resources.

>2. To achieve the above would I have to leave eth0 in promiscuous 
>mode? My box is on a LAN of different servers run by different 
>people. Being in promisc mode would not be liked by other people on 
>the network because they might think I was sniffing on them.. trying 
>to get their passwords or read mail going to them, etc.

An IDS *is* a packet-sniffer, but it sniffs according to rules and not
indiscriminantly.  This means that to use it your interface has to be
in promiscuous mode in order for it to work -- *IF* you are trying to
protect more than one box with your copy of Snort.  If you are only
worried about the box that Snort is running on, then I think you can
get away without promiscuous mode.

If you are watching over a small network, and that network is properly
sub-netted, then you can set Snort up so that it is only capturing
packets relevant to you.  If not, then you're going to be looking out
for everybody.  If you think they'll know you're running Snort and be
worried about it, perhaps you can bring them in from the beginning
so that they can see what you're up to.  If the thing is well-handled,
instead of worrying about you they may come to depend on you.

If anyone can improve my opinions, I'd be glad to read what they have
written.

>Thanks in advance for any help you can give me with the above 
>questions.

You're most welcome.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115







More information about the Snort-users mailing list