Anyone ever use SNORT?

M

meatman

n00b
Joined
Mar 21, 2005
Messages
5
I have been thinking about adding a SNORT box to my home network, I did a search on the forum but most of them had to do with cocaine....

If anyone has used it (NOT the cocaine), what did you think about it? I can run it on either Windows or *nix, would prefer *nix since the IDS part of the IPS/IDS doesn't work in Windows.
 
Yes, and for a home network it does not really get you much. You will see a lot of random crap in the logs that would be blocked by a proper NAT setup anyways.
 
It's too low-level for most uses. Maybe if you had a box doing one thing and one thing only, like serving webpages, you'd be able to fine-tune it. Other than that, I recommend getting a larger security suite which probably incorporates snort and provides a layer of interpretation.

Edith: SNORT is I beliebe what's considered an Intrusion Detection System (IDS) and most UTM (unified threat management) stuff has it integrated.
 
Snort is okay, but its a bit dated. It really depends on what you want to do. First off, if you are creating a single box to act as an IDS/information gathering/Security Gateway, I would highly recommend using Linux as it can have a lightweight install and use quite a few open source tools easily on it. If you want something that is a bit simpler to use and get started, I would suggest Suricata. It is better optimized than Snort and has a few more features that make it a bit more useful for you. Another great tool if you want to get into a bit more detail is Bro, although it may be overkill for a home network. Bro is quite powerful and can give you a lot of information and options. Both of these (and Snort) can be built on a box with pfSense.
 
I use snort all the time with my pfsense router it works pretty good. It can be annoying if you have too many things turned on.
 
You could always try Security Onion if you want to play with IDS. It already has Suricata, Bro, and I think maybe Snort installed... along with Wireshark and a bunch of other network monitoring tools. They've done the hard part of configuring and setting it up for you, but it's in their canned format (which I have mixed feelings about). It's very easy to get up and running with though.

Richard Bejtlich is a network monitoring guy that wrote a pretty good book on network monitoring and it uses Security Onion for its example. The book is called "The Practice of Network Security Monitoring" and is pretty solid if you want a resource on how to do all of this. The first part talks about the back end and theories along with some of his experience, and the second half is implementation.

The big problem with IDS is that you get tons of information, but it's difficult to really separate the good from bad with off-the-shelf rules unless it's a full time job for you. Hence IPS systems like UTMs, but they tend to block so much stuff to make the network difficult to use on a daily basis.

I've been running UTMs at home for years, and my current Sophos UTM hasn't flagged anything in the last 2-3 years that it's been running except for 1 virus hit (not in the IPS)... but it does block tons of network functionality.
 
Yes, working with UTMs for years in the industry there is a lot of trial and error, even for vets. I also use a lot of traffic pattern tech to create and modify baselines to help try and defend against zero day attacks. It is often a messy and complicated affair and takes a long time to learn how to sift through the massive amount of false positives that creep up. Often, as with most things, the best way to learn is to jump in and start tinkering.

The key is don't fret being overwhelmed by a tools or the information when you start, just gradually work your way through it. Find the things that best work for you and how you tackle problems. I just watched a TEDtalks the other day where a guy was using some pretty cool visual representation of bits to determine what the information he was looking at was so he could quickly tell if it was a system, a picture, text, etc. Pretty neat stuff.
 
i recommend using pfsense and snort. I also recommend getting the Snort VRT ruleset with a oinkcode. It makes it alot easier to setup because you can set the rules for connectivity/balanced/Security/ rather than going rule by rule.
 
Wow, thank you all for your responses! For why I want to do this, well, I was in the IT field for 20 years, became disabled 7 years ago so now I have a lot of time to just tinker with things to pass the time.
I thought I did a lot of research on different detection systems, but now I have a whole bunch more information thanks to you all. I will probably start off slowly because I know there will be some bumps in the road, as I just got back into all this starting with DD-WRT and OpenWRT a few months back.

Again thank you all for the help and direction!
 
I use it as well. And I paid the fee for the Snort rules. Those are the only ones I use. The ET rules seem to require a huge amount of tinkering.
 
yeah the other rules are not great. They create alot of false positives.
 
You must log in or register to reply here.
Back
Top