Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Log & Event Manager (LEM) > SNORT - configuration and troubleshooting

SNORT - configuration and troubleshooting

Created by Tim Rush, last modified by Tim Rush on Jun 21, 2017

Views: 127 Votes: 1 Revisions: 6

Overview

Snort is included with the LEM as an open source application, updated only when the LEM version is updated, so this sort will not be the latest version with LEMand may not work with the latest rules available over the internet.
LEM includes a default set of rules, and support will help to get snort running, but configuring rules is the customer responsibility.

Environment

All versions of LEM

 

Detail  

History: When the LEM was a physical box (SIM), the appliance had 4 physical interfaces. Most SIM’s could use up to 3 interfaces (eth1, eth2, eth3) to sniff network segments. If the SIM was an L4 (database on second box), only 2 interfaces available for snort. Some L4’s actually had the Alert DB and the RAW DB each on a separate appliance, leaving only 1 interface for snort. The LEM, just like the SIM appliances, can be created just as a snort box (old name ‘sensor’) by support changing the role. It’s just harder to use snort on LEM’s, because most admins do not like to dedicate a VM host computer NIC interface just for snort. Sometimes it is better to deploy a separate physical Linux computer (could be Windows, but why) to be a snort box.
 

How SNORT works

network subnet switch port VM host NIC LEM eth1 SNORT console Monitor & Database

1 - identify a switch port on the customer network, and configure that port for promiscuous mode.

This will monitor the existing network that is present on this switch, picking up on all traffic existing in that network.
The port basically looks like a hub, unlike a switch which restricts traffic destined to and from the device connected to switch port.
If attempting to monitor a different subnet, the network admin will need to "mirror" the port to a different subnet on their network.

2 - The VM host computer needs 1 additional NIC, dedicated to the LEM snort.

This port needs to be set in promiscuous mode, and will be used only by the eth1 interface in the LEM.

3 - LEM (by default) has 2 interfaces configured (eth0 & eth1)

Eth0 is used for general communications (agents, syslog, console, reports) traffic to and from the LEM.
Eth1 will be tied to VM host NIC dedicated to LEM promiscuous data, does not have an IP address, and is started automatically.

 

Verify snort is running
- open the Vsphere console (or SSH client putty on port 32022, login with cmc),
- enter the “appliance” menu
-  enter the “top” command.
     Snort will be in the list when running.
To which interfaces are running snort:
- enter “u”, followed by the user: “snort”
- enter “c”, and stretch the screen to view the details of the interface, config file used, and the home network.
- if snort is not running, the most common reason is errors in the rules. Re-import the original rules, or the last know working rules.

Snort was disabled by default in LEM version 5.4

To get snort to automatically start at boot, edit the following files, and add the "eth0" or "eth1" to the config:
vi  /etc/snort-eth0/snort.debian.conf
vi  /etc/snort-eth1/snort.debian.conf

 

Working with rules
- open the Vsphere console (or SSH client putty on port 32022, login with cmc)
- enter the “service” menu
- enter “restartsnort” to restart the snort service
- enter “copysnortrules” to copy (export) the snort rules to a network share
     save a copy of the snort rules to a network share for safe keeping.
- note – be sure to keep an original copy of snort rules (especially after each upgrade) in a safe place on your network.
- once rules have been changed, enter “loadsnortrules” to import the updated rules.
     loading snort rules will automatically restart the snort service.

- when rules are exported there are two directories created “eth0” and “eth1”, although it is possible to have eth2, eth3, …
- Each interface (not eth0) needs to be a dedicated physical NIC in the VM host, and each should be set in promiscuous mode, and connected directly to a switch (which is also set in promiscuous mode).
- eth0 is default network interface for communications to/from the LEM (a standard switch interface), so snort rules for this interface need not be created.
- to avoid false-positives on undesired traffic, be sure to set the home network in “snort.debian.conf”.
     DEBIAN_SNORT_HOME_NET=”192.168.0.0/16”   (for each network being monitored)
 

Last modified
06:50, 21 Jun 2017

Tags

Classifications

Public