[Snort-users] Snort Setup Suggestions? *NEWBIE QUESTION*

McCammon, Keith Keith.McCammon at ...3497...
Mon Aug 12 12:21:03 EDT 2002

Some suggestions...

There should be two network interfaces: One for the sensor, and one for management.  The sensor interface will run un-addressed, so you don't have to worry about folks on the Internet firing exploits at that interface.  The one on the LAN/WAN should be addressed, privately if possible.  However, being a college environment, that may not be possible, so you'll want to use IPSec policy in conjunction with a simple border ACL to restrict access to that node from un-trusted networks (actually, all non-admin networks).

As far as IIS is concerned, IIS is not much of a liability in and of itself.  The liability is that folks who don't have a clue (or don't care) do not take the time to understand how it works, or the measures required to make it function in a safe manner.  As long as you understand the threats and lock it down, you're just fine.  Read the MS best practices, and make use of IIS Lockdown, URLScan, etc.  Also use integrated authentication to the extent possible, and check all of your ACL's.

In a nutshell, you're not at a total disadvantage using Win32.  You have to go with what you know, right?  Just apply some common sense, and sound network security practices in general, and it'll be fine.



-----Original Message-----
From: Charles Hamby [mailto:fixer at ...6598...]
Sent: Monday, August 12, 2002 1:10 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort Setup Suggestions? *NEWBIE QUESTION*

I'm getting readying to helping the sysadmin from my college setup a Snort sensor (Win32), and I'd like to get some input...

The network Snort's being installed on is non-firewalled (I know, I know, I've been arguing with him about this for a year, but to no avail) Win2k domain.  Neither of us know enough about Linux to know with a Linux version, so I've decided on the win32 distro.  They're using an entirely switched network, so since getting a tap would cost money (which they don't have), we're looking at setting up the Snort sensor at the network ingress point.  The only problem I have is that doing so will require adding IIS in order to view the logs (can you say security hole?) unless the sysadmin wants to walk down to the comm. Closet several times a day to check the snort logs (doubtful).

Does anyone know of another way around this (as you can tell, I'm really new to Snort).  Thanks!


More information about the Snort-users mailing list