Using Snort without a port mirrored switch

Question

I am trying to set up a Snort IDS on a virtual machine for my lab. My problem is that normally, these kinds of IDS are connected to the mirrored port of a switch. My lab has no such device. Here is my topology:

[Internet]->[Linux Firewall+NAT]->[Local Subnets]

I would like to connect my Snort VM (conected to my 192.168.0.0/24 subnet) to my Linux Firewall, is there a way, using IPTABLES or something alike, that I can achieve this?

(It might not be possible since we want to listen to Trasport Layer frames...)

Or would it be possible to collect data on my firewall and have my Snort VM analyse it remotely?

What are my options here?

Thank you for sharing you knowledge!

http://m-dabbour.blogspot.com/2012/05/snort-idsips-for-web-applications.html — quanta, Mar 04 '13 at 04:23

score 0 · Accepted Answer · answered Mar 04 '13 at 04:18

0

Run snort on the Linux Firewall. You can use the VM to run MySQL and configure snort to log to it like so:

output database: log, mysql, user=snort password=snortpass dbname=snort host=mysql.host

answered Mar 04 '13 at 04:18

dmourati

24,720
2
40
69

Could I run BASE (Or any frontend) on this MySQL server? Or it is going to have to be on the firewall directly also? – m6a-uds Mar 05 '13 at 01:11
Yes, run BASE inside on the VM. Ideally you'd have a separate VLAN for this but it sounds like its not possible in your environment. – dmourati Mar 05 '13 at 03:01

Using Snort without a port mirrored switch

1 Answers1