I've dabbled a bit in red hat and I know my way around a linux machine, somewhat.



I've been reading guides and help topics on setting up a SNORT IDS(IPS) and was wondering if any of you guys have had experience standing a snort box up.


If so, what Linux distro did you use? What were the problems you encountered, and things you wish you had known?

8/3/2007 10:50:31 AM

I know CarZin has a lot of experience with this...

8/3/2007 11:22:39 AM

PM sent.


gracias.

[Edited on August 3, 2007 at 11:37 AM. Reason : hows the CCIE coming along?]

8/3/2007 11:37:19 AM

Do a search on google for "snort how to" and there are some good guides to get you going.

http://www.snort.org/docs/FreeBSD47RELEASE-Snort-MySQLVer1-3.pdf

Here is one for BSD, but there are plenty for Fedora and other distros as well.

My only advice is be mindful of what rules you enable because an IDS is worthless with hundreds of thousands of false positives, or actually matching rules that you don't care about.

The biggest question is what /exactly/ to you want to accomplish on your network with a SNORT box? Once you answer that, it's easy to design the product to fit your needs.

8/3/2007 3:08:20 PM

I basically want to use it as a firewall that can log and block incoming attacks.



I realize it's a bit of an overkill, but this is also a learning experience.

8/3/2007 3:17:40 PM

I would go by your local bookstore and start reading through the Snort books. Find one with a style you like and buy it. Sure pretty much everything is available online, but a handy reference is nice to have and you can help the authors a bit by getting their book.

Getting Snort running is pretty easy; however, you will need to have a pretty good idea of what your goals are and how you want to accomplish them. Couple of things to think about:
*How are you going to log? xml, db, syslog, etc.
*How much log data do you want? basic info, full binary data, etc.
*How are you going to view the logs? web frontend, automated alerts, etc.

As already mentioned, a *huge* part about running an IDS is tuning so that your signal/noise is reasonable. Nobody likes weeding through false positives all day long so go through your snort.conf, set all your variables, tune the preprocessors for your environment (the book should help with this), and disable un-needed sigs (e.g. if you don't run IIS, don't run IIS sigs). That should get you started so that you can concentrate on more targeted tuning.

I would be glad to help if you run into problems or have any questions.

[Edited on August 3, 2007 at 10:09 PM. Reason : -]

8/3/2007 10:07:29 PM

make sure the box you are using can handle your data rate
make sure you don't overwhelm the link (check for output queue drops)

8/3/2007 10:10:25 PM

It has been a while since I ran a snort box. I used to run a virtual machine on my windows box that had snort IDS running, but that has probably been 4 years.

snort.org should have everything you need to know about the product. In years past, you needed to make sure you disabled a lot of the processing, or your log files would contain tons of crap. So previous wisdom would be turn on only what you want. I loved it back in the day. Sorry I cant be much more help.

I will also mention that I have a managed switch, and sent bidrectional mirrored traffic from all the computers on the network onto a secondary NIC in my machine for processing.

[Edited on August 5, 2007 at 5:45 PM. Reason : ,]

8/5/2007 5:39:13 PM

I'm downloading and standing up the Fedora Core 7 Box today.



2 10/100mb NICs

512mb PC133

Athlon 800mhz

K7T Turbo2 mobo

40gb HDD



That gonna be enough for this?

8/13/2007 10:17:52 AM

^ you didnt say how much traffic you are going to be monitoring. If its for your home cable/dsl connection I'm sure it will work.

I have messed around with snort a bit.. setup a 5-node monitoring system. i decided it was too much trouble with not enough gain to use in one of my production networks.

8/13/2007 2:10:03 PM

it sure has one of the fastest signature updating times of any product out
not to mention the bleeding edge rules

8/13/2007 10:39:34 PM

It's basically a network load similar to a home setup with 5-6 PCs constantly running.




I'm not going to cut my teeth on a large network, here. lol

8/14/2007 11:44:02 AM