Re: Install location

["Eckhardt Newger" <enewger () gmx de>]

 Hi Seth Art,

Many thanks for your detailed explanation. I really appreciate that.

Still some concerns:

1. Outside the router, I'll see no internal IP address of the
workstations, but the (external) IP address of the router. On the other
hand, the router forwards each valid inmcoming package to the
appropriate workstation, so this information must be available, perhaps
not in explicit form. Does that mean an Snort analysis wouldn't reveal
the destination of a certain package?

2. My router actually is a combined WLAN router/switch. If I attach the
hub two one of the LAN ports on this router and connect all LAN
workstations and Snort to the hub, then Snort is able to see all network
traffic (WAN, LAN) of all LAN workstations, isn't it? OK, but I can't
see how to sniff the WLAN traffic of those workstations which use the
router as their access point, or do I miss something? The only solution
I could think of is to install an second access point, attach it to the
hub, and let the WLAN workstations connect via this new access point (or
install a hub with a built-in access point, but I'm not aware if such a
device exists). Will this work, because now I have two
"inputs"/"outputs", router and access point, which have to be repeated?

Best regards

Eckhardt Newger

-----Ursprüngliche Nachricht-----
Von: Seth Art [mailto:sethart () gmail com]
Gesendet: Montag, 17. Januar 2005 21:16
An: Eckhardt Newger
Betreff: Re: [Snort-users] Install location

The advantages and disadvantages are exactly what you would expect.
Consider this example.   Hacker sends exploit code to port 21 at your
public address.  Nothing happens because your router/firewall is
blocking port 21 and/or you are not running an FTP server.  Then he
tries to send exploit code to port 80.  This does go through your
firewall because you do have a webserver on one of your machines running
on port 80.

Now if you are getting alerts from outside the firewall you see the
first exploit he tried, which failed, and also the second exploit he
tried, which got though your firewall (but luckily your webserver was
all patched up so you were not vulnerable to the exploit... GOOD JOB
:)

If you are only looking at the alerts that get past the firewall you
will never know about the exploit sent to the ftp port.  You will only
see the alert that went to the HTTP port and hit your webserver.

For a more complete view of what people are trying to do do your network
you would want to record all the alerts.  But the fact is that in a
bigger organization when you have thousands of scans randomly hitting
your firewall it might just not be feasible to record every alert that
hits your firewall.  This is why I only concentrate on the traffic that
goes THROUGH the firewall and is still malicious enough to generate an
alert.  Said another way.  If i am not running web server on one of my
DMZ machines, and i know my firewall would block anything to port 80 on
that machine, do i really need to see the
thousands of scans or crap sent to port 80 on that machine.   There
are valid arguments for both.

Other considerations.  If the hub is outside of the
firewall/switch/router all the alerts will look like they are going to
the same IP address. Your public address.  It will not be as obvious as
to which internal machine was attacked.  If you known that only machineA
is running FTP and machine B is running http its ok.  BUT all clients
are running web brewers.  Snort will alert you if a client
goes to a malicious website for instance.   If you run snort outside
the router you will not know which client went to the malicious site.
It will just saw the source is your public Internet address (not a
192.x.x.x address) But if you were running the sensor behind the
firewall, you would know exactly which client went to the site.  You
would see the 192.x.x.x numbers.

This is the main reason that at home i like to have all my machine in
the hub and have snort sniff only the traffic that has already passed
through the router.

*********
Now that i think about it, you know. You can havea  snort sensor on each
side of the firewall.  One before and one after, AND you could even have
one sensor with yet another interface and have one snort process running
on the interface on one side of the router, and another snort process
running on the interface that is on the other side of the sensor.  But
you have to do alot more reading for all of that to make sense probably.
********

Good luck,

Seth


On Sat, 15 Jan 2005 00:00:59 +0100, Eckhardt Newger <enewger () gmx de>
wrote:
> Hi Seth Art,
>
> Thanks a lot. Now I see clear why I nead a hub in order to replicate
> the whole net traffic I want to sniff. Also thanks to directing to the

> thread concerning NIC configuration.
>
> Still there are two possibilities for setup as you mentioned:
>
> 1. DSL modem --> hub --> router
>
> 2. DSL modem --> router --> hub
>
> where Snort is always attached to the hub, and the all workstations to

> the router in 1. and to the hub in 2. Can you explain in short the
> pros and cons of both installations, or do you have a link where do
> get more information on that? Obviously I'll get much more logging in
> setup 1., before lot of traffic is thrown away by the router. Is it
> worthwhile looking on it? Or are there other advantages?
>
> Best regarrds
>
> Eckhardt Newger
-- 
Eingehende E-Mail ist virenfrei.
Überprüft durch AVG Antivirensystem.
Version: 7.0.302 / Virendatenbank: 265.6.13 - Ausgabedatum: 16.01.2005


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users