[Tfug] Snort usage and security precautions

[Brian Murphy]

What you want to do is use a unidirectional port tap to mirror traffic
at your uplink but not allow your snort sensor to send any signs of
existance to the bad guys.  This can be accomplished with higher end
switches or little hardware devices.[*]  If you can't do that, bring up
the snort interface but don't assign it an IP address. (ipconfig eth1
up)  It will still see the traffic because snort runs in promiscuous
mode.  Both cases require that you have a dedicated NIC for snort.

Brian

[*] You may be able to get away with snipping the Tx line in your
ethernet cable but some switches won't link if you do this.  Ethernet
requires bidirectional traffic at the physical level.

Quoting Adrian <choprboy at dakotacom.net>:
> Query: How many people are using Snort in a production environment? Using
> Snort on an internet facing interface?
>
> I keep thinking about deploying Snort as a detection/classification service,
> in addition to may existing firewall logging and periodic manual
> inspection... But it seems like every other week there is a serious security
> hole. Given that, I would hate to have it on my firewall or facing the
> internet in particular, though that is presumably were the "bad stuff" is you
> want to detect.
>
> Adrian
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org




The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.