[Snort-users] New install questions.

Sallee, Stephen (Jake) Jake.Sallee at ...15646...
Thu Mar 7 12:26:25 EST 2013

This is what I love about communities like this, open exchange.

Perhaps I can add a bit to my story for the collective judgment of all those present.

I have about 50 buildings, each connected to my NOC in a star topology.

The plan is to deploy a Security Onion sensor box at the uplink for each building, all reporting back to a SO mother ship deployed in my NOC.  I already use an NAC solution that controls my users' access, snort integrates with my NAC to give me the ability to mitigate undesirable activity in real time. Having the SO sensors report back to my NAC will allow me to manage users' access (IE: kick the bloody boogers off my network) should they violate my ToS .

My thoughts about an edge IDS are based on the need to replace an aging and over committed existing IPS that I have never really liked.  I agree with the sentiment expressed here that the best place for the edge IDS would be in the inside interface of the FW, especially when the addition of a honeypot server is involved.

So the plan is to have a honeypot on the outside with an IDS on the inside (possibly SO as well) and SO sensors on every aggregate link internally.  With this setup I believe I should have excellent visibility into what is traversing my network.

The SO sensors are a done deal, I have the project already scheduled.

The impetus behind this conversation was to get some initial information on the edge IDS; and that, you guys have given me in spades, thank you.

SO does look like a strong candidate for our edge IDS, but I will also be assessing vendor solutions as well.

I am more than happy to continue this conversation but we should probably change the subject line if we do : ) You guys answered my original question very well.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221

-----Original Message-----
From: Greg Williams [mailto:gwillia5 at ...15920...]
Sent: Thursday, March 07, 2013 9:36 AM
To: Gregory W. MacPherson
Cc: Sallee, Stephen (Jake); snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] New install questions.

Agreed.  You should always monitor what you are trying to protect.  Even if that means you have sensors everywhere - behind your firewall, behind your core routers, between the storage network and authentication servers, etc.  You want to make sure that you are protecting your infrastructure from internal threats as well, so just behind the firewall typically is not enough.  Thanks for bringing up that point Greg, I agree 100% with you.

Greg Williams
IT Security Principal
University of Colorado at Colorado Springs
Website: http://www.uccs.edu/itsecure

-----Original Message-----
From: Gregory W. MacPherson [mailto:greg at ...15873...]
Sent: Wednesday, March 06, 2013 5:57 PM
To: Greg Williams
Cc: Sallee, Stephen (Jake); snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] New install questions.

Snort is an intrusion detection system. You don't detect intrusions outside of your firewall.

Having said that, depending on the size and scale of your network, right inside the firewall might not be the optimal place to stick your IDS.
Additionally, you may need more than one IDS. Here's why:

Suppose you're interested in who gets through the firewall - firewall logs should give you that, right? Maybe you want to collect k3wl packets being passed - same tactic works, but neither really addresses the 'security' of your data.

Ask yourself, what is the critical intellectual property (or competitive
advantage) that you are trying to protect? That is where you should start looking to place your IDS, because it is the unauthorized access to
*that* which will result in "career limiting events".

With the level of sophistication of modern attacks (think "Aurora") it's no longer enough to spot malformed packets traversing your network.
You want to be detecting and responding to anomalous *behavior*.

With a standard three armed architecture, maybe you're willing to sacrifice your DMZ server(s). Fine, but once those get compromised, how will you spot the rogue intrusion into the interior network segment (presuming that you have valid password credentials and/or keys on the DMZ servers that an attacker can use to get inside)?

Depending on your environment, remember that attacks may originate from valid INTERNAL users.

I would start by putting Snort in front of what you want to protect.
Then reassess whether that gives you sufficient visibility into your network traffic, or whether you need a second (or even a third) IDS deployed to give you the full picture of who is behaving badly.

Ultimately where you put Snort is more about what you are trying to protect, and from what sort of access, than it is about catching all those k3wl attack packets for your budding signature writing effort.


On or about 2013.03.07 00:14:00 +0000, Greg Williams (gwillia5 at ...15920...<mailto:gwillia5 at ...15920...>) said:

> Jake, I would argue the opposite.  Your firewall is there for a reason.  If you are bombarded with seeing on what is happening on the outside of your perimeter you may miss something that did make it past your firewall.  I might suggest a honeypot outside your firewall to see who is banging on your perimeter.  Block the IPs that come from that.  Sounds like you are almost the same size as we are.  Typically ~400-600Mbps of traffic.  I use SO for my home network.  It's a great tool.
> Greg Williams
> IT Security Principal
> University of Colorado at Colorado Springs
> Website: http://www.uccs.edu/itsecure
> From: Sallee, Stephen (Jake) [mailto:Jake.Sallee at ...15646...]
> Sent: Wednesday, March 06, 2013 5:01 PM
> To: snort-users at lists.sourceforge.net<mailto:snort-users at ...2652...e.net>
> Subject: Re: [Snort-users] New install questions.
> Thank you all for your input! I also just realized that all of my
> replies are not going to the list ... blasted outlook  >: (
> >>IMHO, you need to be on the inside of the firewall, let the firewall block the majority of the nonsense, and let Snort concentrate on what actually makes it through the Firewall.
> I thought about this, and the only reason I thought about the outside of the FW was that I would like to know when someone is hammering on my FW.  The analogy I was envisioning was listening for the bad guy banging on the door and not the sound of the door breaking in.
> I am trying to adopt a more proactive security posture, if I only sniff traffic inside the firewall then I would be missing the attempts at a break-in and only seeing if they are successful, at that time I am already in trouble.
> Am I missing something?
> Also (this is the part that didn't make it to the list) someone mentioned Security Onion.  SO is AMAZING!  I did a POC deployment and my management went nuts for it.  I am scheduled to deploy a SO sensor net with about 50-60 sensors this summer, sniffing all my internal traffic.  So a BIG thank you to Doug.
> My only concern about SO in this instance is its constant packet capture feature, which is fantastic on my internal links, but my internet link is at an almost constant 250Mb/sec bursting to 500Mb/sec. Accounting for logs and packet capture data that is almost 3TB a day ... that's actually not too bad. Hmmmm....
> Thank you all again!
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> 900 College St.
> Belton TX. 76513
> Fone: 254-295-4658
> Phax: 254-295-4221
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Wednesday, March 06, 2013 3:24 PM
> To: Sallee, Stephen (Jake)
> Cc:
> snort-users at lists.sourceforge.net<mailto:snort-users at ...5870...<mailto:snort-users at lists.sourceforge.net<mailto:snort-users at ...5870...>
> .net>
> Subject: Re: [Snort-users] New install questions.
> On Mar 6, 2013, at 3:30 PM, "Sallee, Stephen (Jake)" <Jake.Sallee at ...16127...6...<mailto:Jake.Sallee at ...15646...<mailto:Jake.Sallee at ...15646...<mailto:Jake.Sallee at ...15646...>>> wrote:
> 1)      Normally where would you deploy a SNORT IDS?  My thoughts are to deploy it out of band using a monitor session on the internet switch, with a dedicated management interface for sending emails and such from the snort box. Basically setting it up as a tap on the outside interface of my firewall.
> IMHO, you need to be on the inside of the firewall, let the firewall block the majority of the nonsense, and let Snort concentrate on what actually makes it through the Firewall.
> 2)      What kind of hardware do I need?  Since this is my internet sniffer it will be seeing some rather exotic traffic and will need some careful tuning to get right.  I would like to be able to use as many rules as possible, but more rules = more CPU and RAM.  Given that, what kind of hardware am I looking at to be able to use a good and thorough rule set while not getting bogged down under peak conditions (theoretically about 3Gb/sec).
> You'll probably need something like flow dividing and pinning to CPUs.
> There are lots of articles out there on this information.  One of the
> more recent that discuss this topic (although it really doesn't tell
> you how to configure Snort:
> http://erratasec.blogspot.com/2013/02/multi-core-scaling-its-not-multi
> .html )  Worth a good read.  I believe the Security Onion distro does
> this now (Doug, care to confirm?)
> 3)      Homebrew vs. Vendor.  Sourcefire makes what I consider to be the gold standard of snort based IDS ... or IDS in general.
> Thank you.
> But, is the GUI and support necessary?
> Depends on your use case, but for an enterprise, at the speeds you are talking, a GUI would make things easier to manage and simpler to use.
> If I can successfully demo and deploy this tech on a homebrew box could I get professional support without buying the hardware from a vendor like sourcefire, or should I skip the roll-your-own setup and go for broke with a fully supported platform first?
> I don't want to discuss our product on list, as vendor discussion is pretty much disallowed, but you are welcome to contact me off list.
> We do not offer a paid support offering for Snort from Sourcefire, but we do offer services for Snort: http://www.snort.org/services, the VRT rules are always supported by the VRT at any time if you buy a subscription or not.
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

Gregory W. MacPherson, CISSP, Security+, ITIL, Etc.
Founder, IT Security Expert, Global Network Security Exploitation Specialist http://www.constellationsecurity.com/greg/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130307/c7dc1eff/attachment.html>

More information about the Snort-users mailing list