[Snort-users] PLEASE HELP HERE.

Jim Hendrick jrhendri at ...9784...
Mon Feb 9 01:56:02 EST 2004

	I think the best advice I can give here is for you to plan to take
some time and figure out the "best" answers for yourself.

This is not a "cop out", and I am sure you will get a lot of excellent
advice from others on this list. What I mean is that there are many good
practices and excellent technical solutions for any IDS solution. What works
"best" for me (or someone else) may not be even a "good" fit in your

As a first step, I would suggest that you start small. Implement a single
sensor, perhaps on your own workstation or on an "extra" PC. Whether it is
running Windows or UNIX is pretty irrelevant at this point. Use whatever you
are most comfortable administering.

Use this platform to gain experience about the number and type of alerts you
see in your environment (give it a couple of weeks at *least* for you to
become comfortable with what you are seeing). While this is running, use the
time to research (google is your friend, so is www.snort.org) other possible
"add ons" to help collect data from one or multiple sensors. 

Next implement a monitoring mechanism (ACID is pretty popular but even
simple text logs can be effective if configured well). Take a bit of time
working this out.

At the same time, try monitoring different points in your topology. There
are good cases for network taps, but certainly "port mirroring" on a switch
is a viable solution. In smaller networks (less than 5 Mb/s maximum
throughput as a quick rule of thumb) you might even be able to use a cheap
"hub" spliced in-line where you want to monitor. Where you monitor depends
on what you are trying to protect. Right "behind" your firewall is a good
place to look for inbound attacks that *should be* stopped by the firewall.
It is also a good place to look for outbound attacks that might indicate
compromised internal machines. Also, if you have specific internal servers
that contain critical resources, you might want to put an IDS so that it can
see all access to/from those machines.

As far as the administrative interface, I would simply ask that you think
about risk vs. benefit. If you allow access from the Internet, what possible
benefit will you have? Do you have another way to access the system? A VPN
or other secured remote-access method available to you? If so, I would
strongly recommend *against* making this system available on the Internet.
The risks of someone being able to compromise it means they would have
access to whatever (internal) network traffic the sensor could see. (read
this last sentence again for full effect :-)

Logging and reporting will vary according to how much traffic you see and
what the "real" alerts are that you decide you need to watch for *in your
environment*. (for a couple quick examples, if you do not run any web
servers, you would not need to concern yourself *as much* with any web
probes/attacks than if you had critical resources on web hosts, if you are
not a SQL-Server shop, then SQL alerts would be less concerning to you,

Good luck!


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of vasanth b
Sent: Sunday, February 08, 2004 10:00 PM
To: snort-users at lists.sourceforge.net
Cc: ravivsn at ...9637...; pauls at ...6838...; patrick at ...4250...
Subject: [Snort-users] PLEASE HELP HERE.

I will be implementing IDS using SNORT in our company network infrastructure

and would be thankfull for some help.After going through all the  documents 
found in snort.org.I have got some doubts in implementing Snort IDS.


      Is this sensors r taps compulsory.Can we use snort to monitor using 
span r mirror port in the switch.If sensor necessary where to get it and how

to place it.
And taps too i found different kinds of taps in the net so plz advice me in 
this regarding.

2.EVENT MONITORING - How to better configure the IDS NIC that will be acting

as an admin interface, where I will be connecting for event information. 
Should I configure this interface with security to be accessed from the 
Internet or should I configure this interface to be accessed from the LAN 
via the firewall?

3.LOGS - Where should i store all the logs.Should i need  a separate server 
to store all the logs.If not approximately how much space will be required.

4.REPORTING - What is the best way to centralize and access all event 
reporting? What is the best product to accomplish this?

Please be kind to let me know if you have a better approach to any of this 
or if you have any other comments or suggestions.




Gifts for Him & Her. Valentine's Day.  http://go.msnserver.com/IN/42197.asp 
At MSN Shopping.

The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration See the
breadth of Eclipse activity. February 3-5 in Anaheim, CA.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list