[Tfug] Snort usage and security precautions

Adrian choprboy at dakotacom.net
Mon Aug 14 09:55:21 MST 2006 

On Sunday 13 August 2006 11:54, Brian Murphy wrote:
> What you want to do is use a unidirectional port tap to mirror traffic
> at your uplink but not allow your snort sensor to send any signs of
> existance to the bad guys.  This can be accomplished with higher end
> switches or little hardware devices.[*]  If you can't do that, bring up
> the snort interface but don't assign it an IP address. (ipconfig eth1
> up)  It will still see the traffic because snort runs in promiscuous
> mode.  Both cases require that you have a dedicated NIC for snort.
> 

Well, I understand using a port tap (or in my case, port mirroring on my 
switches), but what do you do when you do not have a dedicated machine to act 
as your Snort client? I wasn't so concerned about bad guys knowing that a 
Snort box was present... Rather, what steps do you take to prevent/minimize 
chances the Snort box from being compromised by people throwing packets out 
randomly.


> 
> [*] You may be able to get away with snipping the Tx line in your
> ethernet cable but some switches won't link if you do this.  Ethernet
> requires bidirectional traffic at the physical level.
> 
> Quoting Adrian <choprboy at dakotacom.net>:
> > Query: How many people are using Snort in a production environment? Using
> > Snort on an internet facing interface?
> >
> > I keep thinking about deploying Snort as a detection/classification 
service,
> > in addition to may existing firewall logging and periodic manual
> > inspection... But it seems like every other week there is a serious 
security
> > hole. Given that, I would hate to have it on my firewall or facing the
> > internet in particular, though that is presumably were the "bad stuff" is 
you
> > want to detect.
> >
> > Adrian
> >
> > _______________________________________________
> > Tucson Free Unix Group - tfug at tfug.org
> > Subscription Options:
> > http://www.tfug.org/mailman/listinfo/tfug_tfug.org
> 
> 
> 
> 
> The opinions or statements expressed herein are my own and should not be
> taken as a position, opinion, or endorsement of the University of
> Arizona.
> 
> 
> 
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>

More information about the tfug mailing list