Archived from groups: comp.security.firewalls (
More info?)
Hari Om wrote:
> I have installed Snort on my Tomcat Server 101.102.103.104 and my Web
> Server Apache
http://hari_om.com - 101.102.103.105 - listens to my
> Tomcat on Port 8009 via MOD_JK.
> I log in to my Application as
http://hari_om.com/app1 and I would like
> to monitor and use my IDS for this application "app1". what changes do
> I have to make to SNORT.CONF?
> What would be my HOME_NET, EXTERNAL_NET and HTTP_PORTS?
Based upon what you present, configure your HOME_NET to monitor
your Apache ip address using an appropriate cidr/subnet mask
to limit your ip address range. You can do this at a command line.
An example of a command line cidr/subnet argument from
page 8 in SNORT documentation,
snort -d -h 192.168.1.0/24 -l ./log -c snort.conf
You will need to adjust arguments per your directory layout
and ip address or addresses to be monitored.
I am not sure if Tomcat in front of Apache will interfere
with SNORT. You might have to monitor your Tomcat ip address
instead of your Apache address. SNORT depends on internal
system hooks to monitor. A Tomcat / Apache combination
might be just such SNORT cannot "sniff" between the two.
You will know upon testing.
You may also use your snort.conf file,
var HOME_NET 101.102.103.105
EXTERNAL_NET should be "any" to cover all possible incoming,
var EXTERNAL_NET any
HTTP_PORT would be your port 8009,
var HTTP_PORTS 8009
Read through your snort.conf file. It contains a lot of
examples on how to configure.
I don't beleive there is syntax to monitor only a specific
application or page on your server. SNORT works by sniffing
incoming and outcoming connections based upon ip addresses
and port or ports.
Read through documentation for rule writing. There dozens
of internet sites, beside SNORT home, on writing rules.
You could possibly write a custom rule strictly for
your single application which could monitor connections
to your application. Keep in mind, you will need a specific
rule to address your application. SNORT is based on hundreds
of rules, but none of them are written for your specific
usage. Look at Win32 rules which well exemplify how to
monitor selected directories containing selected applications.
Do not depend on SNORT to react "block" any connections.
This feature is highly dependent on system platform,
type of LAN cards and other factors. SNORT is basically
passive unless you use very specific configurations which
allow react blocking, but almost always after at least
one connection. Even with SNORT connected to a Netscreen
firewall, blocking only takes place after at least one
rule violation.
Be careful if you elect to use command line arguments for
invoking SNORT. Command line arguments will supercede
your conf file configuration.
Research, read and learn. SNORT is very complex as evidenced
by a hundred or more pages of documentation. There are lots
and lots of SNORT information sites on the net. Once you
are familiar with SNORT, configuration becomes very easy.
Most important, test your configuration to be sure it performs
as you expect. SNORT includes a lot of test jigs for this
purpose. Look through them to learn how they are written.
Again, consider your Tomcat / Apache combination. You may
have to enter before Tomcat, or you might be able to enter
between the two. Testing will yield which is needed.
Purl Gurl