[Snort-users] Dual home IDS? ACID and send email alerts on one, IDS on the other.
jrhendri at ...9784...
Sun Oct 24 07:11:01 EDT 2004
A couple of items you might want to consider:
- where is the sensor located (in the network topology)? Does this imply any
- what do you want *from* the sensor? - Do you want to be able to send RST
packets from the sensor? (active response) If so, you need to be physically
able to do this.
- what are the characteristics of the monitoring point itself? - Are you
monitoring a simple half-duplex 100 Mb/s link? An Internet link where the
traffic will never exceed 5 Mb/s ? A full-duplex Gigabit trunk of internal
What I am basically saying is that there is no requirement to silence the
interface or use a second NIC as far as snort is concerned. That decision
must be made based on where the sensor is and what functionality you want
The security of the sensor itself must be taken into account (patch the box,
disable or do not install unnecessary services, use good basic security
including ssh or physical-only access, etc.) but do not mistake silencing a
single interface with a layered security strategy for the server(s).
Consider what is the risk to the sensor for being attacked or probed. Is it
likely to be more vulnerable than if it were *not* a sensor?
You can run snort on a server|workstation on an internal production network
and that does not require a "silent" interface. Why would having a "silent"
interface make it any more secure or provide snort any better performance
*other than* to not have the communications to|from the sensor use that
However, if it is located where there *is* more risk (like on a firewall
service net or even outside the firewall) or you simply want to physically
isolate the traffic, you may well want to use multiple NICs and configure
them to be as invisible and silent as possible. There are several options
you can simply ifconfig an interface up, but give it no IP address
you can custom create a "receive only" cable
you can use specially designed network taps that are physically
incapable of transmitting. (or are able to transmit, based again on your
Thinking about being able to transmit or not is usually a decision made
partially on security (if the interface cannot transmit, it is less
vulnerable to attack, although a vulnerability that exploited something in
the network processing itself could still succeed) and partially on your
need to transmit from that interface (if you want to use the sensor as an
intrusion *prevention* system by transmitting TCP resets to offending
connections, obviously it will need to be able to transmit. This in itself
is a complex and contentious decision that I won't go deeply into here.
Simply consider that not all traffic *is* TCP (so a reset will be
ineffective against it) and "single packet kills" will still make it past.
To summarize -
In a small setting (for example) I have used a sensor with one interface on
the internal network (listening for potential problems that have made it
through the firewall or initiating on the inside) and a second silenced
interface outside the firewall (I choose not to do active response, and do
not want an attacker to be able to gain information about the IDS itself
through that interface)
In another setting, I will be using a dedicated interface in conjunction
with a copper Gigabit tap that interleaves both directions of traffic to a
single link (using an aggregated tap since I am confident that the
utilization on that link is low enough that I will be highly unlikely to
have packet loss)
Best of luck. Do some research and have fun!
GCFW, GCIA, GCIH
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Marty Hauser
Sent: Saturday, October 23, 2004 2:06 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Dual home IDS? ACID and send email alerts on one, IDS
on the other.
Thanks to the great work of the group behind and Patrick S. Harper
<mailto:patrick at ...4250...> , his procedures are very good and
I have Fedora Core 2 and snort 2.2.0 running perfectly. There is nothing
wrong with the IDS system, this question is on an enhancement. My manager
configured the Cisco switch to mirror all traffic to one port. That's what
we want, but I'm told that this port is IP-less and no traffic can flow into
or out of the IDS system. The IDS system is connected to this port and
working perfectly. The issue is the IDS system can't send emails or access
the functional ACID website. I thought of adding a second NIC and directing
SNORT to monitor this NIC instead and connect the original NIC to the
network on a normal port and regain email and ACID website support. Have you
guy's any guidance/ experience with resolving an issue like this? Any help
would really be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users