Submit a ticketCall us

AnnouncementsFace your biggest database issues head-on

Our new eCourse helps you navigate SQL Server performance blocks by teaching you how to recognize and deal with the three DBA Disruptors: Performance Hog, Blame Shifter, and Query Blocker. Register today to learn how to defend your environment and fend off menacing disruptions.

Register for your free eCourse.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > SNORT - configuration and troubleshooting

SNORT - configuration and troubleshooting

Created by Tim Rush, last modified by James Moore on Sep 12, 2018

Views: 1,545 Votes: 1 Revisions: 8

Overview

Snort is included with the LEM as an open source application, updated only when the LEM version is updated, so this sort will not be the latest version with LEMand may not work with the latest rules available over the internet.
LEM includes a default set of rules, and support will help to get snort running, but configuring rules is the customer responsibility.

Environment

LEM 6.4 and earlier

Snort commands are no longer supported in the CMC for version 6.5. Please contact SolarWinds Customer Support for assistance.

Detail  

History: When the LEM was a physical box (SIM), the appliance had 4 physical interfaces. Most SIM’s could use up to 3 interfaces (eth1, eth2, eth3) to sniff network segments. If the SIM was an L4 (database on second box), only 2 interfaces available for snort. Some L4’s actually had the Alert DB and the RAW DB each on a separate appliance, leaving only 1 interface for snort. The LEM, just like the SIM appliances, can be created just as a snort box (old name ‘sensor’) by support changing the role. It’s just harder to use snort on LEM’s, because most admins do not like to dedicate a VM host computer NIC interface just for snort. Sometimes it is better to deploy a separate physical Linux computer (could be Windows, but why) to be a snort box.
 

How SNORT works

network subnet switch port VM host NIC LEM eth1 SNORT console Monitor & Database

1 - identify a switch port on the customer network, and configure that port for promiscuous mode.

This will monitor the existing network that is present on this switch, picking up on all traffic existing in that network.
The port basically looks like a hub, unlike a switch which restricts traffic destined to and from the device connected to switch port.
If attempting to monitor a different subnet, the network admin will need to "mirror" the port to a different subnet on their network.

2 - The VM host computer needs 1 additional NIC, dedicated to the LEM snort.

This port needs to be set in promiscuous mode, and will be used only by the eth1 interface in the LEM.

3 - LEM (by default) has 2 interfaces configured (eth0 & eth1)

Eth0 is used for general communications (agents, syslog, console, reports) traffic to and from the LEM.
Eth1 will be tied to VM host NIC dedicated to LEM promiscuous data, does not have an IP address, and is started automatically.

 

Verify snort is running
- open the Vsphere console (or SSH client putty on port 32022, login with cmc),
- enter the “appliance” menu
-  enter the “top” command.
     Snort will be in the list when running.
To which interfaces are running snort:
- enter “u”, followed by the user: “snort”
- enter “c”, and stretch the screen to view the details of the interface, config file used, and the home network.
- if snort is not running, the most common reason is errors in the rules. Re-import the original rules, or the last know working rules.

Snort was disabled by default in LEM version 5.4

To get snort to automatically start at boot, edit the following files, and add the "eth0" or "eth1" to the config:
vi  /etc/snort-eth0/snort.debian.conf
vi  /etc/snort-eth1/snort.debian.conf

 

Working with rules
- open the Vsphere console (or SSH client putty on port 32022, login with cmc)
- enter the “service” menu
- enter “restartsnort” to restart the snort service
- enter “copysnortrules” to copy (export) the snort rules to a network share
     save a copy of the snort rules to a network share for safe keeping.
- note – be sure to keep an original copy of snort rules (especially after each upgrade) in a safe place on your network.
- once rules have been changed, enter “loadsnortrules” to import the updated rules.
     loading snort rules will automatically restart the snort service.

- when rules are exported there are two directories created “eth0” and “eth1”, although it is possible to have eth2, eth3, …
- Each interface (not eth0) needs to be a dedicated physical NIC in the VM host, and each should be set in promiscuous mode, and connected directly to a switch (which is also set in promiscuous mode).
- eth0 is default network interface for communications to/from the LEM (a standard switch interface), so snort rules for this interface need not be created.
- to avoid false-positives on undesired traffic, be sure to set the home network in “snort.debian.conf”.
     DEBIAN_SNORT_HOME_NET=”192.168.0.0/16”   (for each network being monitored)
 

Last modified

Tags

Classifications

Public