Chapter 7. Building the Sensor

This chapter is a complete guide to deploying a Snort sensor. The Snort application itself is installed on the sensor. The sensor collects data from the monitored segment by sniffing packets. The packets are then fed directly into the Snort application. Snort interprets the nature of sniffed packets and generates alerts when suspicious activity is detected. The alerts are then posted to the Snort server. In the following installation, you will be logging to the Snort Unified format. You will then configure Barnyard to continuously process the alerts created by Snort. Barnyard will post alerts into the MySQL database residing on the Snort server. Sensors must be connected to the same network segments to be monitored for intrusions. Naturally security is a priority. The sensor will be hardened and will only have Snort and its supporting applications installed. Like the Snort server, you will be using Red Hat Linux 7.3 for the underlying operating system for the sensor.

You need to ensure you have two network cards installed in the sensor. One will be used for the sniffing interface and one for the management interface. You will configure the sniffing interface to attach to the monitored segment, whereas the management interface will connect to the monitoring segment. The sniffing NIC will be configured to run in stealth mode, meaning it has no IP address assigned to it. On the other hand, the management interface has an IP address assigned to it so that it can communicate with both the sensor and the console. Alerting data is passed out of this interface up to the server. The console utilizes the management interface to remotely administer the sensor. It is easier to have both NICs installed on the sensor prior to installing Linux. Linux discovers and installs the NICs automatically, saving you some work.