• State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 22 subscribers
  • Views 478 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

LEMs Snort

evanr

I have been trying to get Snort going on our LEM box and while the process shows up in top.  It doesn't appear some of the rule are working.  I followed this guide SolarWinds Knowledge Base :: Snort IDS Best Practices.  It would seem there are some discrepancies in the .conf files.  I have edited the snort.conf with our subnets as well as the snort.debian.conf.  I'm not entirely sure which one needs to be updated.  Per the guide the variables are updated in the snort.debian.conf and I guess then are queried from the snort.conf.  Does anyone have a definitive guide for this on LEM?  Or am I better off setting up Snort from scratch on a dedicated box?

  • 0

    Here is a sample of my config file for snort.debian.conf

    DEBIAN_SNORT_STARTUP="boot"

    DEBIAN_SNORT_HOME_NET="[Use commas between multiple addresses]"

    DEBIAN_SNORT_OPTIONS="-A fast -I -N --nolock-pidfile"

    DEBIAN_SNORT_INTERFACE="eth1"

    DEBIAN_SNORT_SEND_STATS="true"

    DEBIAN_SNORT_STATS_RCPT="root"

    DEBIAN_SNORT_STATS_THRESHOLD="1"

    This is for the eth1 interface (the interface with no IP address)

    Snort is left unconfigured for the management interface. This is done by using the following syntax:

    DEBIAN_SNORT_STARTUP="manual"

    In the snort.conf file I have configured the HOME_NET variables as well (just to be sure) and the EXTERNAL_NET as well.

    In debian I know that the snort.debian.conf file is used for configuration of variables. The question would be then what file SUPERCEEDS the other. That I do know. I would advise you to log in through SSH to Solarwinds, go to Appliance and enter "checklogs". From here you can check both the daemon logs(5) or Snort(3...i think). The daemon logs will let you know if you have a snort configuration issue. The Snort log will show you alerts.

    Hope this helps Good luck!

  • 0 in reply to martindl76

    Yeah it's definitely up and configured.

    21714 snort     20   0  134m  52m 3780 S    3  0.7   0:44.63 snort

    1371060294000 SLEM snort[21601]: Initializing Network Interface eth0

    1371060294000 SLEM snort[21601]: Initializing daemon mode

    1371060294000 SLEM snort[21601]: Daemon parent exiting

    1371060294000 SLEM snort[21714]: Daemon initialized, signaled parent pid: 21601

    1371060295000 SLEM snort[21714]: Checking PID path...

    1371060295000 SLEM snort[21714]: PID path stat checked out ok, PID path set to /var/run/

    1371060295000 SLEM snort[21714]: Writing PID "21714" to file "/var/run//snort_eth0.pid"

    1371060295000 SLEM snort[21714]: Decoding Ethernet on interface eth0

    1371060330000 SLEM snort[21714]:

    1371060330000 SLEM snort[21714]: [ Port Based Pattern Matching Memory ]

    1371060330000 SLEM snort[21714]: +-[AC-BNFA Search Info Summary]------------------------------

    1371060330000 SLEM snort[21714]: | Instances        : 242

    1371060330000 SLEM snort[21714]: | Patterns         : 21229

    1371060330000 SLEM snort[21714]: | Pattern Chars    : 190012

    1371060330000 SLEM snort[21714]: | Num States       : 123529

    1371060330000 SLEM snort[21714]: | Num Match States : 17345

    1371060330000 SLEM snort[21714]: | Memory           :   4.50Mbytes

    1371060330000 SLEM snort[21714]: |   Patterns       :   0.99M

    1371060330000 SLEM snort[21714]: |   Match Lists    :   1.79M

    1371060330000 SLEM snort[21714]: |   Transitions    :   1.63M

    1371060330000 SLEM snort[21714]: +-------------------------------------------------

    1371060330000 SLEM snort[21714]:

    1371060330000 SLEM snort[21714]:         --== Initialization Complete ==--

    1371060330000 SLEM snort[21714]: Snort initialization completed successfully (pid=21714)

    snort.conf

    var HOME_NET sub1/16,sub2/24

    var EXTERNAL_NET !$HOME_NET

    snort.debian.conf

    DEBIAN_SNORT_HOME_NET="[sub1/16,sub2/24]"

    We would like to deploy this as a true IDS solution to capture traffic stats for our entire LAN.  Will this only work if we log all our fw/security devices through LEM?  I can tell you I tested a simple port scan against another device on our network and Snort did not detect it.  Possibly a rule config issue, or am I asking too much from LEM?

    Only when I actually scanned the LEM machine did any rule fire off.

    06/12-14:12:31.380821  [**] [122:1:0]  <eth0> (portscan) TCP Portscan [**] [Priority: 3] {PROTO:255} x.x.x.x -> s.s.s.s

    x = scanning box

    s = lem box

  • 0 in reply to evanr

    Just in case anyone else is running LEM via HyperV and is looking to do the same thing.

    Straight from the horses mouth:

    Snort included on LEM is capable of sniffing the entire network as long as you're forwarding all the network's traffic to an anonymous (no IP) promiscuous mode NIC in the LEM. This would basically require mirroring or spanning the traffic from a core switch/router that all traffic flows through, down a dedicated port on that switch/router to the physical host that LEM is running on.

    Having said that, I'm afraid that Hyper-V 2008 does not support this type of setup. It's virtual switches require that the traffic have a specific destination relevant to the VMs.

  • FormerMember
    0 FormerMember

    We're continuing to track HV's support for promiscuous mode to see if this is possible.

    Also, it's possible our docs are out of date. We don't see a lot of customers using Snort in the virtual environment anymore because of the spanning/mirroring requirements (usually best done by dedicating a hardwired port to the LEM virtual appliance and assigning it to the second interface) and the version of Snort referenced in the docs is probably older than the one actually shipping on the appliance.

    From a rules management perspective it may also be easier to deploy Snort on your own so that you can update it (or use a newer version of it) and more easily use their VRT rules, even the delayed version. Depends on how current you need your ruleset to be and how much management you want to do.

  • 0 in reply to FormerMember

    There is a reg hack I found that would do the job for us in HV.  But since then we have decided to deploy a dedicated Snort box to do the job for us.  Thanks for the info.

  • 0

    we have this up and running on Hyper-V Core 2016.

    you have to run some powershell commands on the host and then set the NIC on the server to be a destination port then setup a port span on your physical switch between your source and destination, but it appears to be working now

    Powershell on Host

    $portFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings"
    # None = 0, Destination = 1, Source = 2

    $portFeature.SettingData.MonitorMode = 2
    Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName <Virtual Switch Name> -VMSwitchExtensionFeature $portFeature

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.