One server will be configured to run the Snort engine and the other will be the database server. The database server will also be running: Active Directory as a domain controller, IIS, DNS, probably DHCP, and probably RRAS. VirtualBox can run its own DHCP server for internal networks (which this will be) via the command line VBoxManage, but I thought having the DHCP on an actual VM might make it more controllable.
The two XP machines will be domain members. I haven't decided whether to join the Snort machine to the domain. I guess I should since it can't run in stealth mode anyway, being a Windows box.
The Matriux machine is going to be an outsider for starters and we'll go from there. With the plan being to try client side attacks against the XP machines, I'm hoping the bad connections they make (to Matriux box) will be routed out to Matriux via the Domain Controller and if all goes according to plan the Snort machine will record everything. This is a conceptual map of what I am trying to achieve:
It took me a long time to find a trustworthy version of ntwdblib.dll, an old MS SQL interface library that Snort needs. I'm not even sure that SQL Server 2008 supports being used in this way. I think this will be the most difficult thing to get working. Well, at least my final class is over now so I have more time to dedicate to getting this thing working.
"I'm not even sure that SQL Server 2008 supports being used in this way. I think this will be the most difficult thing to get working."
ReplyDeleteIf you need any help getting Snort operational, don't hesitate to ask. I am using the ntwdblib.dll from the latest SQL 2000 service pack.
I got mine via the "Security Update for SQL Server 2000 Service Pack 4 and MSDE 2000 (KB960083)". It's version 2000.80.2282.0. I am betting I'm just overlooking some small detail, so I am just going to keep working at it. If I totally brick wall, I'll let you know.
ReplyDelete---jah