All the snort sensors are running '''FreeBSD 8.0 ''' The following PIDs have login rights for the sensors:
marchany urbanski pkobezak rkeller bjones kerryja sparksb garyah stlee dawson ancole coal167 chiles brownej rsprague
Users can login using their PID/pass over SSH using port 356. The sensor hard drives are very small so if you're going to be logging packets, please use tshark instead of tcpdump. Tshark supports a -a option which allows you to set the filesize to stop logging at. This will help not eat up all the disk space from a runaway packet capture.
example:
tshark -i bridge0 -a filesize:5120 -w /usr/data/urbanski-http.pcap "tcp port 80"
will record 5MBs worth of HTTP traffic into /usr/data/urbanski-http.pcap
Free space in home directories is extremely limited so please record packets in /usr/data/ instead. This directory has r+w permissions for all users who have access to the sensors.
The IDS reporting interface is available online at ids-mgmt.cirt.vt.edu
The 'edscXX' adapters are virtual NICs that are used by snort. You can monitor traffic on these adapters but the traffic going to them is restricted by BPF filters so you will probably only see a extremely small subset of traffic reaching the bridge.
198.82.250.35 (isb-ids-1.cns.vt.edu; piglet.cns.vt.edu)
em0: campus <-> internet
em1: machine room <-> internet
bridge0: virtual bridge of em0 and em1
198.82.250.107 (bur-ids-1.cns.vt.edu; babe.cns.vt.edu)
em0: burruss <-> cassell
em1: burruss <-> isb
bridge0: virtual bridge of em0 and em1
198.82.250.174 (owe-ids-1.cns.vt.edu; gordy.cns.vt.edu)
em0: owens <-> cassell
em1: owens <-> burruss
bridge0: virtual bridge of em0 and em1
not deployed
198.82.250.88
not deployed
198.82.250.139
not deployed
198.82.250.205