[Tfug] Snort usage and security precautions

Brian Murphy murphy+tfug at email.arizona.edu
Mon Aug 14 18:16:01 MST 2006 

I just keep it relatively up to date.  Where do you see new snort
vulnerabilities every other week?  I'm looking at the 2.4 series
release dates and it doesn't seem that bad.

Brian

Quoting Adrian <choprboy at dakotacom.net>:
> On Sunday 13 August 2006 11:54, Brian Murphy wrote:
>> What you want to do is use a unidirectional port tap to mirror traffic
>> at your uplink but not allow your snort sensor to send any signs of
>> existance to the bad guys.  This can be accomplished with higher end
>> switches or little hardware devices.[*]  If you can't do that, bring up
>> the snort interface but don't assign it an IP address. (ipconfig eth1
>> up)  It will still see the traffic because snort runs in promiscuous
>> mode.  Both cases require that you have a dedicated NIC for snort.
>>
>
> Well, I understand using a port tap (or in my case, port mirroring on my
> switches), but what do you do when you do not have a dedicated machine to act
> as your Snort client? I wasn't so concerned about bad guys knowing that a
> Snort box was present... Rather, what steps do you take to prevent/minimize
> chances the Snort box from being compromised by people throwing packets out
> randomly.
>
>
>>
>> [*] You may be able to get away with snipping the Tx line in your
>> ethernet cable but some switches won't link if you do this.  Ethernet
>> requires bidirectional traffic at the physical level.
>>
>> Quoting Adrian <choprboy at dakotacom.net>:
>> > Query: How many people are using Snort in a production environment? Using
>> > Snort on an internet facing interface?
>> >
>> > I keep thinking about deploying Snort as a detection/classification
> service,
>> > in addition to may existing firewall logging and periodic manual
>> > inspection... But it seems like every other week there is a serious
> security
>> > hole. Given that, I would hate to have it on my firewall or facing the
>> > internet in particular, though that is presumably were the "bad stuff" is
> you
>> > want to detect.
>> >
>> > Adrian
>> >
>> > _______________________________________________
>> > Tucson Free Unix Group - tfug at tfug.org
>> > Subscription Options:
>> > http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>>
>>
>>
>>
>> The opinions or statements expressed herein are my own and should not be
>> taken as a position, opinion, or endorsement of the University of
>> Arizona.
>>
>>
>>
>> _______________________________________________
>> Tucson Free Unix Group - tfug at tfug.org
>> Subscription Options:
>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org




The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.

More information about the tfug mailing list