Overview

All the snort sensors are running '''FreeBSD 8.0 ''' The following PIDs have login rights for the sensors:

marchany urbanski pkobezak rkeller bjones kerryja sparksb garyah stlee dawson ancole coal167 chiles brownej rsprague

Logging In

Users can login using their PID/pass over SSH using port 356. The sensor hard drives are very small so if you're going to be logging packets, please use tshark instead of tcpdump. Tshark supports a -a option which allows you to set the filesize to stop logging at. This will help not eat up all the disk space from a runaway packet capture.

example:

tshark -i bridge0 -a filesize:5120 -w /usr/data/urbanski-http.pcap "tcp port 80"

will record 5MBs worth of HTTP traffic into /usr/data/urbanski-http.pcap

Free space in home directories is extremely limited so please record packets in /usr/data/ instead. This directory has r+w permissions for all users who have access to the sensors.

Reporting Interface

The IDS reporting interface is available online at ids-mgmt.cirt.vt.edu

Deployment

The 'edscXX' adapters are virtual NICs that are used by snort. You can monitor traffic on these adapters but the traffic going to them is restricted by BPF filters so you will probably only see a extremely small subset of traffic reaching the bridge.

ISB Sensor(s)

198.82.250.35 (isb-ids-1.cns.vt.edu; piglet.cns.vt.edu)

em0: campus <-> internet
em1: machine room <-> internet
bridge0: virtual bridge of em0 and em1

Burress Sensor

198.82.250.107 (bur-ids-1.cns.vt.edu; babe.cns.vt.edu)

em0: burruss <-> cassell
em1: burruss <-> isb
bridge0: virtual bridge of em0 and em1

Owens Sensor

198.82.250.174 (owe-ids-1.cns.vt.edu; gordy.cns.vt.edu)
em0: owens <-> cassell
em1: owens <-> burruss
bridge0: virtual bridge of em0 and em1

Cassell Sensor

not deployed

198.82.250.88

Hilcrest Sensor

not deployed

198.82.250.139

Shanks Sensor

not deployed

198.82.250.205