Does anyone use it and care to give me some more information about it? I would like to see it in action to get a better idea of exactly how it works.

I use it, and like it. It can really give you alot of information. But you have to check the logs. It's not something you just set up and forget about. http://www.snort.org/

Originally posted by DD-SNC
Does anyone use it and care to give me some more information about it? I would like to see it in action to get a better idea of exactly how it works.



In a nutshell it inspects packets and then compares it to its own signatures (think of it as a fingerprint in a networked world) and anomoly detection. It's a reporting tool by default, it isn't pro-active unless you make it such.

Unless you've read the docs, it's a bit of a pain to set up exactly the way you want it to be.

And if you run it on a system that does other things as well (read: hosts customers) then you need a swift kick in the rear.

I'd recommend putting in on a switch port that is set up to do mirroring (aka monitoring) of other switch ports, then it can passively collect data for your consumption.

Very well written. Thanks guys..

I'd recommend putting in on a switch port that is set up to do mirroring (aka monitoring) of other switch ports, then it can passively collect data for your consumption.

Could do that, but the best way is to use a tap.

Snort is great, you can log your data to mysql and use acid to look at everything, you can be alerted by e-mail pager, and a slew of other options.

I have tested to a small degree IDS+R with snort and it was cool, you can have it add rules to drop people on your linux servers and even it can drop people on a PIX.

And if you run it on a system that does other things as well (read: hosts customers) then you need a swift kick in the rear.

I'd recommend putting in on a switch port that is set up to do mirroring (aka monitoring) of other switch ports, then it can passively collect data for your consumption. [/B]

There is absolutely nothing wrong with running snort as a host based IDS instead of a network based IDS ( specially when you do not have access to a Tap/span port or have a single server you wish to monitor), if you secure your server properly, set the permissions on files and directories properly and maintain the system effectivly then you have nothing to worry about. Granted I log all of my host based IDS's to a dedicated logging system/syslog server/Database but this is purely for ease managment, having 40-50 IDS's logging to local systems would just be unbearable :)

Originally posted by eBoundary
There is absolutely nothing wrong with running snort as a host based IDS instead of a network based IDS

I care about the integrity of the data collected.

Originally posted by clockwork
I care about the integrity of the data collected.

Like i said, providing the host is secure then there is nothing wrong with it.

For hosts that do not have access to Span ports or network taps dont you think it's better to have SOME information about the traffic hitting the box rather than absolutely none?

If you log to a remote server then the the data integrity is assured.

Keeping the data on the host its logging on is risky but like i said, something is better than nothing if you dont have access to the traffic before it hits your server.

Originally posted by eBoundary
Like i said, providing the host is secure then there is nothing wrong with it.


Secure as in services running on the box, ips being bound to the box, etc?

You can look at traffic without having a *routeable* ip bound to the box.

Do you also recommend putting a firewall on a single box meant to protect itself?



It really sounds like you're making excuses for small shops here, security should not be an afterthought or something that only would be incorporated if convenient (like installing Snort on a machine that serves customers).

All in all, any DECENT data center can set you up with a box on a port that does spanning of your other ports in use. It's just a matter of how you value security.


This is turning into My Security Policy vs. Your Security Policy now. wee!