Re: Memory Usage - and eth2 Interface not monitored ?

[Joerg Mertin <smurphy () solsys org>]

Hi again Erek, :)

On Wednesday 13 August 2003 19:18, Erek Adams wrote:
[... snip ...]
> Well, it's a matter of what you want.  If you're working on a low memory
> box, you might want to move to portscan instead of portscan2.  That
> eliminates the need for spp_conversation.  If you add
>
>       config detection: search-method lowmem
>
> to snort.conf it'll help a bit as well.
Did that ... and used portscan instead of portscan2. Saved 50MBytes of active 
memory ...

> [...snip...]
>
> > Dynamic through DHCP - it means - from time to time it can change.
>
> Easy to handle.
>
>       var HOME_NET $eth2_ADDRESS

This I have done. I had it configured the wrong way - as I used the Firewall 
(Well, the one I understood) approach. Now - it's OK.

> Keep in mind that each time the address changes, you'll have to restart
> Snort.

Hmmm. No problem. Using ifplugd under Mandrake should do the trick...
Yep - configured /etc/ifplugd/ifplugd.actions
Everytime the Interface has a change in Interface status registered, e.g. no 
IP-Address, or no cable connected, the system shuts down the Network device. 
In case it comes back up - restarts shorewall and snortd.
Now - I only need to check if pump does it as well.

> > However - isn´t the snort Philosophy not the same as in firewalls ?
>
> Nope.
Just noticed :)

> > HOME_NET is the Private LAN, and the EXTERNAl_NEt is the Firewall Device
> > ?
>
> Not exactly...  HOME_NET == what you want to protect.  EXTERNAL_NET ==
> everthing else.  In your situation, HOME_NET would be the 10.x range.  I'd
> suggest using

Well - that's the point. I want to protect my private LAN 10.0.x.0 - the 
80.83.36.184 is my public Interface, the one connected to the  Internet, and 
the one that should be handled by the packet filter. and - from what I 
understand - in this case - the 80.x WAN Interface is the one I want to 
protect from "World" except my LAN (10.0.x.0). So - it's for me a little bit 
confusing.

Actually - what I'm missing in the Docs somewhere (I havn't read/found all 
yet), is a statement that says:
Snort is best put between 2 active public IP-Addresses connected to their own 
devices with routing set up correctly - so you can connect a Packet Filter to 
device 1, and snort to device 2 - to check what gets through the 
packet-filters.

>       var EXTERNAL_NET !$HOME_NET

yeah - that's set.

[...]

> Since you have Snort and Shorewall on the same box, that isn't odd.  Both
> use libpcap to 'see' packets.  Since it's seen at the same level (libpcap)
> then both applications will see the packets at the same time.  I'd suggest
> listening on the 'back end' interface.  That way you see what 'gets past'
> the firewall.  It'll help cut down on all the noise.

Hmmm.... What do you call the back-end interface ? Cause I would like to get 
the Traffic way down... and I thought actually that shorewall would block 
everything already. 

Here are my LAN's:
eth0          inet addr:10.0.2.1  Bcast:10.0.2.255  Mask:255.255.255.0
eth2          inet addr:80.83.36.184  Bcast:80.83.39.255  Mask:255.255.252.0
eth3          inet addr:10.0.4.1  Bcast:10.0.4.7  Mask:255.255.255.248
eth1 is a test interface used for Bridging etc. - I'm only using it when I 
feel the need for speed ;)

However - as you stated before - snort is using libcap (Guess I have to check 
the code, not much docu on it) at the same level as shorewall - so sees 
everything shorewall sees to. As physically - all these network devices are 
on the same machine - this would require - getting snort listening to device 
eth0 (which I did before). But - as I don't have routing, except one way NAT 
(No SNAT) setup - nothing, or at least,. nothing coming from outside should 
ever be noticed on eth0 - right ? So - what reason would I have to use snort 
?
There should be the possibility to only  check what comes behind the packet 
filter. I know that this would be possible on a real active firewall - cause 
they have 2 physical Interfaces connected by proxy-processes "actively 
passing" the packets from one interface to another one - without IP-Forward 
existing - between the interfaces - where you could configure snort on the 
internal one. However - how do you do that with packet filters - running on 1 
Interface "actively blocking" packets ? This would only work if I had a 
Public Internal IP-Address (instead of the 10.0.2.1 IP) and a valid routing 
configured between these IP-Addresses ... as I stated before...
Correct me if I'm wrong.

So - my option is to leave it running on the WAN Interface (eth2), and just 
make sure I ignore loads of unneeded stuff ... And I guess this goes into 
local.rules. (Damn - 4 Hours I'm playing around with it now, and still - I 
didn't get it all ;o) ) ...

Or:

Configure a dummy Network device with a 192.168.x.1 IP-Address, set up 
Source-NAT to forward all packets going to the WAN eth2 Interface to the 
dummy interface - and tell snort to listen on the dummy interface. Actually - 
something like this:

Internet -- [ eth2 - Packet Filter ] -- SNAT--- [ dummy0 - Snort ] -- Intranet

while routing tables must enable both sides to find each other...
Pfff... That'll make it complicated. I think I'll stay at option 1 :)

> Hope that helps!

It does :) Definitly ;) Thanks !

-- 
It is your concern when your neighbor's wall is on fire.
                -- Quintus Horatius Flaccus (Horace)
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy () solsys org                (Home)|
| in Neuchâtel/Schweiz      :  smurphy () linux de                  (Alt1)|
| Stardust's LiNUX System   :  smurphy () net2000 ch                (Alt2)|
| Web: http://www.solsys.org:  Voice & Fax: +41(0)32 / 725 52 54       |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users