Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal i...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Caution: If I'm incorrect in anyway on the information provided,
please correct me, I'll sincerely appreciate it.

Over the last six months I have been researching about employing an
Intrusion Detection System, and this is the results:

Most security orientated companies sell hardware appliances for this
purpose, for example, Sonicwall, Cisco, Symantec, McAfee. The prices
range from $400 - thousands. For a small business or home office,
that's a pretty steep price.

The alternative is using FREE, open-source software such as Snort,
Ethereal, and Nessus. Read more about them on snort.org,

The reason why I'm writing and posting this is because I have not
found an easy to understand instruction on the internet, newsgroup,
and even expert-exchange.com! This is for the network administrator
who has a low budget and high on security needs.

Ok, here's the setup / lab of a regular small business environment:

Internet Firewall/Router Switch/Hub Bunch of computers

The IDS/Sniffer computer:

Windows 2003 or Windows XP based


1=2E2 GHz


80GB Hard Drive

52X CD-ROM Drive

Here's what we installed for the IDS:

Snort 2.6, www.snort.org

Ethereal 0.9, www.ethereal.com

WinPcap 3.0 (Comes with www.ethereal.com)

EagleX 2.1, www.engagesecurity.com

Snort 2.6 = Intrusion Detection System

Ethereal 0.9 = Packet Sniffer and analyzer

WinPcap 3.0 = Needed to run Snort and Ethereal

EagleX 2.1 = Pre-config software for Snort, also comes with GUI
Interface known as IDS 1.1 RC4

Where to install the IDS/Sniffer computer? Here it is:

Internet Firewall/Router (INSTALL IT HERE) Switch/Hub Bunch of

Ok, so your firewall/router will have two cables going out, one to the
switch/hub, one to the IDS/Sniffer computer. Why?

The reason is this, since most small businesses with more than 5
computers will probably use a switch since is smart than a hub. A hub
broadcast every packet it receives whereas switch usually has a
smarter routing capability. In order for packets to be captured, it
has to be broadcasted on the hub. Believe it or not, most small
business' router/firewall acts as a hub unless is specially designed
to be a router/firewall/switch. By employing on the router/firewall,
it'll capture every packet that comes through your firewall and going
out too (Not sure about this one yet)?

Alternatively, if you use a hub to connect all your computers, you can
employ it there, so it'll be:

Internet Firewall/Router Hub (INSTALL IT HERE) Bunch of

That way, you'll capture internal network traffic too.

Hope this helps. Please feel free to e-mail me directly with any
questions, Kevin@econsynergy.com.

Sincerely yours,


Small Business IT Consultant


Re: Employing Intrusion Detection System (IDS) and Packet Sniffer such as Snort and Ethereal in a small business environment

On 7 Apr 2007, in the Usenet newsgroup comp.os.linux.security, in article

Quoted text here. Click to load it

Standard manta - security is not an object, but a philosophy. One tool
or application does not provide a silver bullet solution, and is rarely
useful in isolation.

Quoted text here. Click to load it

except that ethereal was renamed 'wireshark' about nine months ago

Quoted text here. Click to load it


[compton ~]$  zgrep linux.security ../big.8.list.03.15.07.gz
comp.os.linux.security     Security and the GNU/Linux Operating System.
[compton ~]$

The name of this newsgroup is comp.os.linux.security - has nothing to do
with using a toy operating system in a critical application. If that is
the only one you know, you're probably not getting a call from a lot of
businesses - certainly not where I work.

Quoted text here. Click to load it

I suppose - the little Network General sniffer I'm using is actually a
486 laptop, so maybe you've got a concept problem - windoze does that

Quoted text here. Click to load it

And exactly why do you need this?

Quoted text here. Click to load it

Snort is one of _many_ tools that might be useful, but is rarely enough
by itself.

Quoted text here. Click to load it

wireshark displays packet information is a colorful way for the user who
hasn't bothered to learn the first thing about networking protocols like
IP, TCP, UDP, and ICMP. It comes with a few Linux distributions, along
with the original tcpdump and about 18 other packet sniffers.

Quoted text here. Click to load it

That's a requirement for windoze ONLY - most Linux distributions already
include libpcap, and it's a dependency for any packet sniffer that would
be installed on any non-windoze box.

Quoted text here. Click to load it

Useless trash for the clueless

Quoted text here. Click to load it


Unless your switch has a monitor port - the better ones do, while the
cheap stuff for the home user often does not.

Quoted text here. Click to load it

Wrong.  It's a lot easier to bring along a cheap hub and place this in the
line from the switch to the router. That way, you also don't fuck up the
settings on the router - a common problem with the clueless.

Quoted text here. Click to load it

You can start by checking the local community college, and seeing if they
have networking classes -  not the microsoft courses which are full of
intentional mis-information and concept errors, but something that uses
the W. Richard Stevens book as a textbook. As you apparently also
don't understand what Linux is, try looking at the Linux Documentation
Project, and read some of the HOWTOs. Some that you are unaware of are:

        272577 Mar 20 13:09 HOWTO-INDEX
         97194 Mar 20 13:09 INDEX

         85507 Aug 20  2001 Firewall-HOWTO
         42743 Nov 24  2001 Firewall-Piercing
        708351 Nov 14  2005 IP-Masquerade-HOWTO
         17605 Jul 21  2004 Masquerading-Simple-HOWTO
        203891 Sep 29  2004 NET3-4-HOWTO
         45604 Apr 18  2006 Networking-Overview-HOWTO
         22582 Feb  6  2004 Reading-List-HOWTO
        155096 Jan 23  2004 Security-HOWTO
        278012 Jul 23  2002 Security-Quickstart-HOWTO
         71626 Apr  4  2004 Unix-and-Internet-Fundamentals-HOWTO

There is also a 'Snort-Statistics-HOWTO' that is now obsolete, but any
search engine should find it in a few seconds.

Before using something as complex as an IDS, you need to have _WRITTEN_
policy in place - describing among other things what are and what is not
acceptable use of the computers. You need to learn _something_ about
the operating system those computers are using, and how to shut down the
many undesirable (and horribly insecure) services that are running on
those systems. Providing conceptual training to the users, so they have
a tiny grasp of the fundamentals will often reduce the exposure far more
than a conslutant coming in waving his favorite (and apparently
misunderstood) tool that's going to save the world.

Counting on an IDS is like sticking a few coupons from MacBurger-in-a-box
in your wallet as your earthquake preparedness kit.  Ain't gonna hack it.

        Old guy

Site Timeline