It's reasonably easy to get a snort sensor running on ASL.
I even chrooted mine, although apparently you may not be able to do if you want to use promiscous mode (not that you need to).
I have it log to a mysql db on another machine (set your fw rules for this carefully), and I use ACID on the other machine to view the data. It works nicely, and only took a few hours to setup.
It would be nice if Astaro came with snort though.
I've done the same on my machine in the past (I think the binary I used was 1.9.1). I've disabled it since I've been working with snort_inline between my router and ASL. That will be going to the 2.0.1 binary from the honeyney site.
Snort with a hub vs. Inline are 2 distinctly different setups. Setup #1 Snort on a hub behind ASL. Simplest Setup #2 Snort ON ASL logging to an internal machine. Pretty easy. Setup #3 Snort Inline behind ASL in bridge mode. PITA - requires recompiling the kernel with the br-nf patch. Setup #4 Snort Inline behind ASL in NAT mode. Not too bad but requires some consideration with port forwarding etc.
Personally I like #2 above if you have a fixed IP. My setup has my DSL line connected to a Linksys router then through a RedHat Snort-bridge to my ASL machine. If I have some time I'd like to figure out how to get snort_inline running on the ASL machine logging to a MySQL database on an internal machine.
Jim, why does #2 have to be a fixed IP? (does the interface get stopped and restarted when IP changes?) Could snort be restarted at that point too?
I'm currently using #2 on our ASL at work, but it's got a static subnet. I'm using ACID for analysis... just have to be careful database doesn't get too big from all the worms
I have dynamic at home, but I haven't tried snort on it.
Jim, why does #2 have to be a fixed IP? (does the interface get stopped and restarted when IP changes?) Could snort be restarted at that point too?
I'm currently using #2 on our ASL at work, but it's got a static subnet. I'm using ACID for analysis... just have to be careful database doesn't get too big from all the worms
I have dynamic at home, but I haven't tried snort on it.
barrygould, I have dynamic at home too. so that is partly what has been stopping me from using snort at home.
I thought about trying the inline between my cable modem and my ASL, but not sure where to start...All I know is as of late I have been having so many intrusion attempts, I have to do something about it...
The fixed IP is because you want to define the HOME_NET variable in the snort.conf as the IP of your external interface so it ignores broadcast traffic or other traffic not destined for your machine.
I'm fairly competant and think I can use the Pluspak posted here for help getting gcc and libs on the astaro box, and compiling and running snort on it. I just wondered what the scenario's were for implementing it.
You don't have to compile it. There are statically compiled snort 2.0.2 binaries on the net. The one at honeynet.org is an "inline" version but that just means you can use the -Q option. Without it, it will work just like "regular" snort.
[ QUOTE ] The fixed IP is because you want to define the HOME_NET variable in the snort.conf as the IP of your external interface so it ignores broadcast traffic or other traffic not destined for your machine.
