[Snort-users] Re: [Snort-sigs] Snort on FTP server

Matt Kettler mkettler at ...4108...
Wed Jan 22 11:50:04 EST 2003

First, I'm moving this over to snort-users.. which is where it belongs. 
snort-sigs is for signature development related issues.

Second, sure, you can run snort on any pc at any point in your network. It 
all depends on what you want snort to monitor. The most common deployment 
monitors a whole network, thus snort is commonly installed at the gateway, 
but there's no reason it can't monitor a point inside the network.

Snort should see all the traffic present on the FTP server's nic, but 
because your DSL router's 3 ethernet ports are likely a switch, it will not 
be able to monitor attacks against any other machine in the network.

Also since the FTP server is NAT'ed by a typical DSL/cable router box, I 
highly doubt it will be probed on any ports other than ones which your 
router is manualy configured to forward to the FTP server. It's impossible 
for anyone outside to specifically address your FTP server, thus it should 
be impossible for me to probe a random subset of ports on your FTP box from 
the outside.

There is one major drawback of running it on the same machine, if the FTP 
server gets hacked, the attacker, if smart, can now blank your snort logs.

At 06:24 PM 1/17/2003 +0100, Walter Pouwels wrote:
>Hi to all.
>I wonder if it is any use putting snort on a pc (win2k server) which is 
>used as an FTP  server ?
>When reading through Snort doc's and such all I seem to read is snort 
>being used on the actual router/gateway station, listening on the external 
>interface. What I want to do is monitor any logon attempts at the ftp 
>server for users without login/pw but also if the machine get's probed on 
>any other ports.
>The network topology is as follows:
>E-tech router
>1x WAN ------ ADSL 1536 Kbps/256Kbps
>4x LAN 10/100 Mbit
>In the 4 LAN connections there are:
>pc-1 end-user system IP
>pc-2 end-user system IP
>pc-3 FTP server IP
>So is this possible to install snort on a machine with only 1 NIC and have 
>it listen to the traffic on that NIC or should I place another pc between 
>the FTP server and the router LAN port
>(giving: ftp-server ---- SNORT PC ----- router ---- ADSL)?
>Thanks in advance.

More information about the Snort-users mailing list