Finding a Home for Your Snort Sensor

If you set up a Snort sensor as a dedicated NIDS, have it watch as much traffic as it can handle at one time. Why watch a single server, when you can monitor every host on your DMZ? Snort puts a network card in promiscuous mode, so it watches all network traffic that flies by. You can edit your snort.conf file to limit what you want Snort to react to, but the network card grabs every packet it can. The key to making Snort watch more of a network is letting it see more of that network.

When it comes time to choose the hardware for running Snort, and you're worried about Snort seeing enough of your network, pick a server that looks good. After all, the better you look, the more you see.

Switches, repeaters, and hubs, oh, my!

For a Snort user, there's one important difference between hubs (or repeaters) and switches:

• Hubs repeat data to every port.

With hubs, a network card in promiscuous mode easily watches other people's network traffic (because everyone's packets already go to everyone else).

• Switches only send data to the port where that data's ultimate destination lies.

A switch knows which MAC address is on each port. It takes data that comes in on a port (or ports) and spits it back out on another port (or ports). A switch reduces the total traffic on the network by only sending data destined for a particular device's MAC address to the switch port that device is plugged in to.

A switch's ability to forward traffic only to devices that the traffic is destined for means that switches are much better performers and are more scalable than hubs. The other side of that coin, however, is that traffic not destined for a particular device is hidden from that device. Since your Snort box is just another device plugged into the switch, this presents a problem: If you want to monitor the entire network's conversations, you want to be able to listen to all of conversations at once. This is easy with a hub, but difficult with a switch.

Most modern switches can designate a specific port as a monitoring port. The monitoring port can watch all traffic between any port (or group of ports) on your switch. On some switches, such as Cisco switches, the monitoring port is called a SPAN port. Consult your switch's documentation to set up a monitoring or SPAN port.

Some switches can't be configured with a monitoring port. Those little eight-port switches that cost $100 a few years ago are a good example. If your switch can't designate a monitoring port, consider either

• Using a hub to repeat the traffic that you want to monitor

• Replacing your switch with one that allows you to designate a monitoring port

Location, location, location

What Snort monitors depends on where it is on your network.

• A DMZ (De-Militarized Zone) network is a kind of limbo, a neither here nor there zone that has tight controls on what network traffic goes in and what comes out. Traditionally, it's a semi-trusted network where publicly facing Internet servers reside.

• NAT stands for Network Address Translation, a way to hide multiple machines using private IP space behind a much smaller chunk of public IP space. With NAT, your end-user workstations and internal file servers can initiate outgoing Internet connections, but other hosts on the Internet can't initiate connections the other way.

Keeping servers in a DMZ keeps your NAT network secure. If one of your Internet-facing servers in your DMZ is cracked, the damage should be limited because the hacker can't get out of the DMZ to your internal network.

Covering your assets

If your network is for a business or other organization that uses the Internet, network Internet access probably is critical to your business operating smoothly. Even e-mail can be vital to day-to-day operations, so keeping these servers safe is key. If you have publicly facing Internet servers in a DMZ, watch here for trouble: Internet access to your servers means that you can tell the entire world about www.yoursite.com, but the entire world can poke, prod, and tickle your servers, too.

Any place you have publicly facing Internet servers is a place for Snort.

If you use a separate DMZ network, you must do the following:

• Designate a port on your DMZ switch as a monitoring port.

• Tell your snort.conf file that you want to monitor this subnet.

After watching this traffic for a while, you start to see alerts for Web server attacks and attempts to squeeze your servers for network information. Keep an eye on Snort's alerts and start trimming your configuration to reduce false positives.

Monitoring your DMZ alerts you when someone attacks a server and tells you whether an already compromised server is attacking other servers in the DMZ. This information is critical to network forensics.

Seeing who isn't on the guest list

In almost every case, you should monitor unfiltered Internet traffic. This traffic is directed at your network, but hasn't had a chance to be rejected by your firewall. Though most bad traffic gets the boot from your firewall and never touches the protected parts of your network, it's nice to see that traffic is. If your boss ever wants stats on how well your firewall is doing its job, this is one great resource.

Although this isn't necessary, it's usually helpful to have unfiltered IP space for network troubleshooting. If there's a switch in front of your firewall, but you can't designate a monitoring port on it, throw a hub between your router and switch. This lets you plug your Snort sensor in front of the firewall; for many sites, it won't introduce any bottlenecks. (A T1 line is only 1.54 Mbps, and even the cheapest hub handles 10 Mbps.)

If you monitor unfiltered Internet traffic, you see a lot of alerts. You should see a slew of such attack alerts as

• Port scans that never make it past your firewall

• Random worm activity directed at hosts that don't exist

This data is proof that your firewall is doing its job.

Keeping tabs on the inside

Although it seems logical that you'd want to use Snort to monitor your internal NAT network filled with end-users and file servers, don't try it until you've gained some experience scaling and tuning your Snort system for a couple of reasons:

• Bandwidth: Internal LANs typically run at 100 Mbps to ensure fast access to internal file servers or databases. Compare this to the size of the pipe from the Internet to your DMZ. If every host on your internal network has a 100 Mbps dedicated pipe (thanks to the magic of modern switches, this is now the norm), your Snort system must watch a lot of traffic at once. This is possible with Gigabit Ethernet interfaces and systems with really fast processors, but your super-fast Snort system may be pushed to its limits.

• False positive alerts: Snort has a built-in notion of us vs. them, which is most evident in the snort.conf settings var HOME_NET, and var EXTERNAL_NET. Snort has a very hard time correctly differentiating between legitimate internal network traffic and hostile attacks. You can get around this by setting both variables to any, but it doesn't change the fact that Snort is looking for attacks. Snorts default set of rules assumes that your HOME_NET needs to be protected from your EXTERNAL_NET.

If your system can handle watching the big bandwidth of a LAN, Snort is your best friend for monitoring internal LAN traffic. Watching internal LAN traffic can be a great way to make sure that your users are sticking to the network policy if you have

• A high-performance Snort sensor with CPU cycles and RAM to spare

• A highly tuned rule set

Your highly tuned rule set should include rules that you develop yourself. You can write rules to alert you if you start seeing HTTP traffic coming from anything that isn't a sanctioned Web server. Or consider a rule to watch for spyware trying to phone home from your internal LAN.