[Snort-users] new to snort

Fiona Whelan fiona.whelan at ...1697...
Fri Mar 30 22:14:56 EST 2001


Thanks Neil for your help.

What I have now in my rc.local start up file is:
cd /usr/local/snort-1.7
/usr/local/bin/snort -p -D -s -u daemon -g daemon -c snort.conf

That does what I want it to do - starts snort as a daemon without putting eth0 into promisc
mode. I tested it with a couple of nmaps and flood pings from other hosts and got what I had
hoped.. lots of log entries in /var/log/snort.
The -s option sends alerts to the syslog daemon, yes? This should mean that alerts turn up in
/var/log/messages? They aren't. I realise that I probably have to add something to the
syslog.conf file, but not sure what. Can anyone tell me what I need to add?

Thanks again,


---- Begin Original Message ----
 From: Neil Dickey <neil at ...1633...>
Sent: Fri, 30 Mar 2001 10:32:06 -0600 (CST)
To: snort-users at lists.sourceforge.net
CC: fiona.whelan at ...1697...
Subject: Re: [Snort-users] new to snort

Dear Fiona,

I'm a relatively new user of Snort too, but here's my thought on your
questions:

>1. How do I best use snort as an IDS.. basically I want it to monitor 
>the same stuff as portsentry did.. attacks on ports.

The standard rulesets are the best way to start.  As you become familiar
with the sorts of traffic your network receives, and comfortable with
writing your own rules, you will customize it to suit your own needs.
It's a little nervous at first, but that passes.  The new, modularized,
ruleset format makes this, and updates, easy.

Any IDS is best coupled, in my opinion, with a strong packet filter, as
for instance IPFilter.  The IDS tells you what's coming in, and the filter
lets you stop it if you wish.  Keep in mind, though, that Snort can be
memory-hungry, so don't run it on a machine which is short on resources.

>2. To achieve the above would I have to leave eth0 in promiscuous
>mode? My box is on a LAN of different servers run by different
>people. Being in promisc mode would not be liked by other people on
>the network because they might think I was sniffing on them.. trying
>to get their passwords or read mail going to them, etc.

An IDS *is* a packet-sniffer, but it sniffs according to rules and not
indiscriminantly.  This means that to use it your interface has to be
in promiscuous mode in order for it to work -- *IF* you are trying to
protect more than one box with your copy of Snort.  If you are only
worried about the box that Snort is running on, then I think you can
get away without promiscuous mode.

If you are watching over a small network, and that network is properly
sub-netted, then you can set Snort up so that it is only capturing
packets relevant to you.  If not, then you're going to be looking out
for everybody.  If you think they'll know you're running Snort and be
worried about it, perhaps you can bring them in from the beginning
so that they can see what you're up to.  If the thing is well-handled,
instead of worrying about you they may come to depend on you.

If anyone can improve my opinions, I'd be glad to read what they have
written.

>Thanks in advance for any help you can give me with the above
>questions.

You're most welcome.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

---- End Original Message ----



  _
 |_
 |  I O N A
_____________________________________

Get your free E-mail at http://www.ireland.com




More information about the Snort-users mailing list