Would it be worth using snort for a standalone box that is only connected to an ISP ?. or just use iptables and portsentry with logcheck.
Cheers
LiNuts

Well, snort won't stop anything - just report what's passing through based on a set of rules. It makes a nice addition to ipchains/iptables though.

Cheers :)

And based on what snort finds you can block stuff. Check out
www.chaotic.org/guardian

Originally posted by LiNuts
Would it be worth using snort for a standalone box that is only connected to an ISP ?. or just use iptables and portsentry with logcheck.
Cheers
LiNuts

This strays a little from your Snort question, but it may be worth some consideration.

If you wanted to monitor all packets going in and out of your internet-connected box, you could open up a console and do:

tcpdump -i eth0 > /var/log/tcpdump_log

This will capture everything going in and out of your machine and log it to a file called tcpdump_log. Just run create a new log file every time you connect to the internet, or else you will probably over-write the file. So, you would gather them like so:
.../tcpdump_log2
.../tcpdump_log3

This may be too much of a pain for some folks, but it's a good to start to see what's going in and out of your machine.

Also, tcpdump is pretty lightweight and won't hog a ton of resource power. I currently use it on a router/firewall linux-box (pentium 166 mhz, 64 megs RAM, no x-window system) which is servicing a 15-client network.

Mike

Originally posted by Floog

Just run create a new log file every time . . . .

oops, drop the "run"

sloppy editing, i apologize.

Mike

Along the same lines of using snort, can you have an iptables based firewall AND snort running on one machine? If so how can you change the order in which packets are processed. For instance, if I want a perimeter based IDS I would need to have Snort be the first to filter the packets, then get processed by the firewall rule set. Just how is this done?

Ferreter

Well, because of the way things work the packet would first traverse your iptables rulesets then they would hit the snort filters. In this case snort would provide you with a second line of defens. Iptables "in this instance" would basically be used to only allow traffic to certain ports (web, mail, pop, ssh, ftp, etc.) and would enforce IP based access control lists. Snort would look at the traffic coming in on those ports that you left open and decide if the type of traffic coming to your servers is safe or not.

iptables allows or disallows traffic based upon IP, Port, and Protocol. snort would look at the data in the packets that pass the iptables firewall and decides if it's malicious or not.

For example you allow everyone to only your webserver on your box. Use iptables to close all ports but port 80. So now, you're basically secure from people trying to access FTP, SSH, or other stuff. Now snort takes over and looks at the data that's coming in. Is it standard web traffic or does traffic look like it's trying to do something it isn't supposed to.

I mean, to attack a webserver, what port are you going to connect to it on? Port 80. iptables doesnt' know that you're gonna attack. As far as it knows your just trying to look at some porn. Snort sees that you're trying to do funky things like run crazy stuff with a cgi directory or you're trying to access a root.exe file. Snort uses fingerprints and compares traffic to those fingerprints to make a decision whether it's malicious in nature or not. Think of snort as a virus scanner but scanning network traffic for exploits instead of programs for virus's.

hope that cleared some things up...

The model you present is exelent from a security standpoint and makes perfect sense. But say I want to sniff out and report signatures which are happening on the outside of the firewall? I would be interested in any materials you may have on the ability to change the order of which daemon inbound packets traverse first.

Well you can do just that! Snort is basically a passive traffic monitoring app. You can place snort sensors all over your network. See http://www.snort.org for more info on how to do this.

Basically you'd have a snort box monitoring traffic coming from the external network and then passing onto the firewall box. Then you could have another snort box to see what stuff is getting thru your firewall. Then you could put a snort box on each segment of your lan to see what kind of traffic is passing there. Think of snort as a sniffer on steroids. Instead of just blindy capturing data it gives you info on what that data is doing by comparing it to the fingerprints in your rules and generating alerts based on the matching fingerprints.

But to have snort and iptables running on the same box, without some serious mucking around, I don't think you'll be able to let snort look at the data before it hits your iptables scripts.

--Anything's Possible...just depends on how much time and effort you decide to put into it and how much daylight you're willing to do without.