Re: LEMs Snort

Yeah it's definitely up and configured.

21714 snort     20   0  134m  52m 3780 S    3  0.7   0:44.63 snort

1371060294000 SLEM snort[21601]: Initializing Network Interface eth0

1371060294000 SLEM snort[21601]: Initializing daemon mode

1371060294000 SLEM snort[21601]: Daemon parent exiting

1371060294000 SLEM snort[21714]: Daemon initialized, signaled parent pid: 21601

1371060295000 SLEM snort[21714]: Checking PID path...

1371060295000 SLEM snort[21714]: PID path stat checked out ok, PID path set to /var/run/

1371060295000 SLEM snort[21714]: Writing PID "21714" to file "/var/run//snort_eth0.pid"

1371060295000 SLEM snort[21714]: Decoding Ethernet on interface eth0

1371060330000 SLEM snort[21714]:

1371060330000 SLEM snort[21714]: [ Port Based Pattern Matching Memory ]

1371060330000 SLEM snort[21714]: +-[AC-BNFA Search Info Summary]------------------------------

1371060330000 SLEM snort[21714]: | Instances        : 242

1371060330000 SLEM snort[21714]: | Patterns         : 21229

1371060330000 SLEM snort[21714]: | Pattern Chars    : 190012

1371060330000 SLEM snort[21714]: | Num States       : 123529

1371060330000 SLEM snort[21714]: | Num Match States : 17345

1371060330000 SLEM snort[21714]: | Memory           :   4.50Mbytes

1371060330000 SLEM snort[21714]: |   Patterns       :   0.99M

1371060330000 SLEM snort[21714]: |   Match Lists    :   1.79M

1371060330000 SLEM snort[21714]: |   Transitions    :   1.63M

1371060330000 SLEM snort[21714]: +-------------------------------------------------

1371060330000 SLEM snort[21714]:

1371060330000 SLEM snort[21714]:         --== Initialization Complete ==--

1371060330000 SLEM snort[21714]: Snort initialization completed successfully (pid=21714)

snort.conf

var HOME_NET sub1/16,sub2/24

var EXTERNAL_NET !$HOME_NET

snort.debian.conf

DEBIAN_SNORT_HOME_NET="[sub1/16,sub2/24]"

We would like to deploy this as a true IDS solution to capture traffic stats for our entire LAN.  Will this only work if we log all our fw/security devices through LEM?  I can tell you I tested a simple port scan against another device on our network and Snort did not detect it.  Possibly a rule config issue, or am I asking too much from LEM?

Only when I actually scanned the LEM machine did any rule fire off.

06/12-14:12:31.380821  [**] [122:1:0]  <eth0> (portscan) TCP Portscan [**] [Priority: 3] {PROTO:255} x.x.x.x -> s.s.s.s

x = scanning box

s = lem box