For some years I have run Snort on my main server, along with Apache, bind etc and this solution has the obvious limit to only check traffic accessing the server. In a perfect world, it should be placed either before or behind the router/firewall so all traffic to the internal network is examined. This can be accomplished by various techniques, such as getting a passive network tap or using a hub. Since I already had an ITX system, Alix 2D3, which is a small flash based mobo with 3 NICs, 256 MB, 600 MHz, I decided to give it a try and use it. In theory it seems straight forward, bridge two NICs together, connect the cablemodem to one NIC and the router to the second and let Snort sniff the bridged interface. In practice, it was not much more difficult.
Being the FreeBSD guy I am, I decided to install it on the 4 GB flash card. A few things to keep in mind.. Since compact flash cards has a finit number of writes, it is important to try and minimize the write operations, which can be solved by mounting the filesystems with noatime which stops the system from writing when the files were last accessed, and by mounting /tmp and /var/log to RAM by using tmpfs. One caveat with the Alix mobo is that it has no VGA output and to install the operating system, I did an install using PXE and a serial cable. It’s pretty simple, a good guide can be found here and another one here. To be able to remotely manage the box without connecting a console cable to it, I used the first interface (vr0) as management and applied a local address to it.
When installation was complete, I SSH’d into the box and upgraded ports. Then installed some must have apps like vim, screen and bash before installing Snort and Oinkmaster (to keep the rules updated). Since I am running BASE (a web GUI for querying and analyzing alerts) on my main server and it’s using Mysql as the backend, I compiled Snort with support for logging to mysql. Before starting Snort, I had to bridge two physical interfaces (vr1 & vr2) to create one logical interface (bridge0) that Snort could listen on. After a few modications to snort.conf (specifying logging, etc) I started it with snort -i bridge0 and lo and behold! It worked!