Remote Snort Sensors Part 1

24
February

Written by admin. No comments Posted in: Network Administration
Tagged with alix2d3, cacti, fprobe, freebsd, ntop, snmp, snort

System specifications
Hardware: alix2d3
OS: FreeBSD 7.2
Storage: 4Gb Compact Flash
Components: Snort, fprobe, webmin, net-snmp, syslogd

I’ve been using Snort on and off for the past several years but I haven’t been using it recently due to changes in the network topology here at work, I just didn’t have a good spot to install it where it would actually do much good. I then started a project early in 2009 where I was going to be connecting multiple sites with a dedicated VPN connection back to our main office. The plan was to use existing broadband service providers at these unmanned sites and route all traffic through the main network and down to our plant, as we have a dedicated T1 between our main office and the plant. Below is how these will integrate into my existing connections:

The VPN connections were installed without much of a hitch, but after a while I decided I needed to add in remote Snort sensors at all these locations. After some planning and research, I settled on the Alix2d3 board, as it had 3 LAN ports with enough horse power to run Snort and it was reasonably priced. I initially purchased one unit to use as a prototype from Mini-Box.com for about $180 with enclosure, power supply and 4GB compact flash. I have since purchased three more and I’ll be purchasing 5 more later this year. I spent quite sometime trying to get the iMedia linux to work with my plans and didn’t have much luck and decided to move onto FreeBSD. I found a site that had excellent instructions on setting up FreeBSD to PXEBoot. After a couple hours of configuration I was able to get FreeBSD installed. I did a minimal install to begin with and then ran portsnap to download all the ports, which still left me with about 1.9GB available on the 4GB compact flash I’m using.

One thing I dont’ really like about all boards like this is that they have no method of turning them off other than pulling the power cord. I’m not a real big fan of that, there are times you can see sparking across the plug, plus it causes undo wear and tear on the hardware. I made a quick trip up to Radio Shack and bought part # 274-1563, 275-324 and 270-1801 and assembled a little switch box. I cut a 2.1mm plug with leads off of an old wallwart for the plug end. Below is the assembled product.

I also didn’t like that these don’t have an onboard battery, even though there’s a spot for one. I found this blog post on someone else that had the same problem, but I didn’t really like the idea of using the battery holder and offsetting it because of the capacitor nearby. I made a quick trip up to my local Batteries Plus and had them spot weld some leads onto a CR2032 battery, cost me less than $16 for four batteries. I put a bit of electrical tape on the bottom of the battery just in case it touches something on the board and then soldered it carefully into place. The unit will now keep time during power outages. I figure the battery will probably last longer than the unit will be in service, and if it doesn’t, it really isn’t a big deal to install a new battery even though it’s soldered.