Depending upon traffic levels, even old hardware could be used Pick your favorite Open Source OS, FreeBSD, OpenBSD, favorite Linux distro, etc We used CentOS for it’s similarity to Red Hat. Netflow is entirely optional. It can also be offloaded from the sensors to your network gear if it supports it We decided upon port mirroring on our switches with one location using an inexpensive 10/100 tap
Sensor placed at each distribution point Uses the uplink to network routers to watch traffic – One alternative is placing the sensor inline of the uplink and using snort-inline. Option to place sensors inside firewall with different rules to watch Internet bound traffic. The sensors are our eyes into the network. If need be, you simply logon to the box & you can see what kind of traffic is flowing through any given location.
Biggest portion of time & money spent setting up management and installation media The more sensors that need to be deployed, then more cost effective this method becomes. Only an incremental cost of hardware with a minimum of time necessary to deploy sensor
OS Repository is a local mirror of the official distribution sites. Contains only the architectures and versions you’ll be using in your environment Takes time to build- ~3 hours for just x86 architecture with NO cd or dvd images over broadband Cron job updates OS from the official mirrors via rsync
Example of different rsync options We can use –delete to keep the bin, lib, & snort directories clean Don’t use –delete on /etc since we’re only syncing common files.
We’re not using flow-tools for flow aggregation or historical analysis. If something goes bump on the network, it’s another point to see who may have been doing what at the time. An alternative for netflow statistics is ntop. When we were building our IDS infrastructure, it was difficult to add a lot of netflow probes. SSH to the sensors is allowed ONLY from the management server. Root logon to the sensors is via public-key signature NOT passwords. I recommend registering with Sourcefire to receive their official rules. However, there is a lag between official rule releases and when you can download them, unless you pay to subscribe. We do have the hobbit client on the sensors to alert if a process dies, or utilization on the box gets too high.
Disk imaging works great for identical hardware Scripted install can be portable – same install used for scsi based servers and ide/sata workstations Scripted installs may also be faster – instead of imaging a 40 GB drive, we’re only installing 400-700 Mbytes Can you imagine doing this with Windows machines?
Simple settings are for speed.. Load nothing that may slow down or get in the way of processing packets.
Disable X – no monitor attached, no need for a GUI Second network card will be enabled upon boot, but configured with no IP address or DHCP config We automatically wipe the drive & repartition with /boot / swap All partitions are Linux ext2 (we don’t even want file system journaling to get in the way). If the file system becomes corrupt due to a power outage, fine – we rebuild the box in 10 minutes and we’re back up & running. We’ve added the SMP kernel, net-snmp, ntp packages among others We disable everything except ssh. Last step of the installation is to sync our /usr/local directories
Finish first installation, generate list of installed packages, and start removing things you don’t want. A lot of removals will fail with dependency errors. Add the dependencies to the removal command & try again. When connecting sensors, try to stick to a standard, ie eth0 is management, eth1 is the capture interface. May not always be possible, so modifications to startup scripts can work around it. Run the install on the sensor, logon as root to adjust hostname & IP address.
Base set of instructions for Fedora modifications are on the ntop wiki site. If you are familiar with compiling RPMs, it isn’t terribly difficult to adapt these instructions and build a kernel package.
Honestly, I install all software into the management servers’ /usr/local tree, then copy what I need over to the Software Repository.
Snortsam supports Checkpoint, Cisco PIX & router ACLs, Netscreen, Watchguard, & ISA Server firewalls, as well as iptables, pf, ipfw, and ipfw2 built into Open Source OS’. As an example, bittorrent is known to be used far more often for copyright violations than it is for legitimate downloads. We have a rule that looks for bittorrent connections and blocks the user’s Internet connectivity for an hour.
Nepenthes is soft of a honeypot for malware. It emulates known vulnerabilities that are commonly used to spread viruses & trojans. The Prelude development team is also working on event correlation.
Flowviewer is a perl based web page that uses flow-tools to generate reports. This page has been slightly modified to make the Device and Sort Field dropdown boxes a little more intuitive. We also changed the Resolve Addresses box to default to No.