[Discuss] running Snort on a consumer-grade router

Tom Metro tmetro-blu at vl.com
Thu Jan 19 16:07:20 EST 2012


Chris O'Connell wrote:
> Or do you just mean you want to use Snort to listen to traffic on
> said router by installing it on a separate computer?

I was hoping to hear more about how this might be possible at the talk.
You mentioned "sensors", but that seemed to be shorthand for a
commercial appliance with physical network connections, not a chunk of
software that can be put on a router.

So I'm still wondering if Snort supports a "client-server" like model
where pcap runs on a monitoring point and streams the data to an
analysis server elsewhere.

Another option to consider would be placing a Snort monitoring appliance
on the WAN side of the router (connected via a hub or using port
mirroring, as mentioned in the talk). This could potentially be
implemented using inexpensive hardware, like another consumer router.
(Something with a bit of power, like the previously mentioned ASUS
RT-N16.) It could even use an attached USB disk for storage. This way if
Snort gets bogged down, it won't impact your network speed.

But sticking another box outside your firewall has just doubled the
number of machines you need to secure. And having a machine that
captures network statistics and interesting packets (potentially
containing plain text passwords, etc.) makes it a useful target for a
hacker.

Plus, this setup doesn't tell you what has made it past your firewall,
which is the whole point to intrusion detection. (And it wouldn't be
wise to make one Snort appliance do double duty by monitoring packets
both inside and outside the firewall. You've now created a convenient
bridge if the appliance gets breached. So that means having yet another
appliance.)


In other matters, I'm curious to know what alternatives to Snort you
evaluated, if any.

On the host intrusion detection side of things I've had success with
Integrit (a file hash comparison tool equivalent to Tripwire; custom
configured to issue delta reports, rather than accumulating all
anomalies until the operator regenerates the database) and logwatch (log
monitoring tool). Both use email as the primary communication channel.
Both require a fair bit of customization and configuration to make them
minimally noisy. (A noisy monitoring tool quickly gets ignored.)

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



More information about the Discuss mailing list