Simple SOHO IDS with Snort & a DIY Network TAP

I run a few Internet facing resources at home, that are mostly protected or locked down in one form or another. However, I wanted to implement some form of Intrusion Detection System or basic monitoring that would let me know what was being accessed, when, and by who. I decided to go with Snort ( www.snort.org ) because it’s a proven technology that is fairly simple to set up with a little Linux know-how (there is also a Win32 distribution).

My biggest problem was how to ensure Snort could see all of the relevant traffic. I couldn’t just plug the machine running Snort into one of my switches, since I don’t have a switch that supports setting up a SPAN port. I could have used a hub, but didn’t want to introduce the potential for problems in my network related to collisions. A white paper on the Snort site mentioned using a network TAP. This seemed like a good idea, but the commercial ones cost way more than I was wanting to spend. I found a great DIY article here on making your own passive tap. Check the article for the details, all you need is a 4 port surface mount box, 4 keystone jacks, and a small length of Cat5 cable. I was able to put one together for less than $20.

The finished product has four interfaces: one interface for each host, and two monitoring interfaces. Each monitoring port monitors traffic received in one direction only. Because only the pins for receiving traffic are wired on the monitoring ports, your IDS station is completely invisible on the network, functioning only as a listening device. That’s one of the main benefits that attracted me to this solution. A separate NIC will need to be used for remote management of the IDS, unless you intend to do so exclusively from the console. I installed Snort on a machine running SUSE Enterprise 10, and connected it to the Tap which I plugged in on the WAN side of my router between it and my DSL modem (see below for a simple diagram), monitoring incoming traffic. This actually generates alerts on traffic that isn’t making it through my firewall, but it’s interesting to see what traffic is out there. The SQL Slammer worm is still very prevalent, and it’s amazing how much suspicious traffic is originating from China (or not). I also added a few custom rules specific to my environment. Later I may move the tap inside my firewall. I was a little worried about the effect it might have on my network, but bandwidth tests before and after were identical, and I’ve had zero packet loss after running this for several weeks.


This is a great way of monitoring your network. I certainly wouldn’t recommend using this setup in an enterprise or production environment, but it works well for situations like mine, or as a learning tool. In the future I may utilize more of Snort’s IPS features, as well as some sort of log watch automatic notifications.

Related Posts:

Snort IDS & BASE on Server Core 2008

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: