I want to use Snort, Squid & Wireshark on my home network but not sure where to place them, or even if they're really needed, plus other questions. Advice?

jennywilliams

I'm pursuing a career in Networking and Information Security so I'm trying to broaden my knowledge and skill set. I'd like to become familiar with Snort, Squid and Wireshark because I've read that they're popular network tools in the enterprise world, plus they're all free. I'd also like to gain some practice and familiarity with network monitoring and understanding packet captures, and creating my own little IDS seems like a good project to attempt.

Should I run all three programs natively on Ubuntu, or should I put them all on a VM? I'm thinking a VM, but is there any advantage to running them natively? I have an old Pentium 4 with two NICs and I plan to install Ubuntu Server. I don't plan on using it for NAS or media sharing or anything else, I want the machine dedicated for network monitoring.

Can I run all three together, or will they interfere with each other in some way if they're all running on the same machine or VM? Will they slow down my machine or my network if all three are monitoring and logging everything? Will they get in each other's way somehow since they'll all be using the same NICs? Do I need to do any special configuration or setup so they all place nice together?

Should I put my machine between my router and my switch, or should I attach it to a port on my switch and set up port mirroring? Since I have a DSL modem/router connected to a phone line, I can't place the machine between my router and my ISP. The router has a basic but decent firewall that blocks incoming traffic, and my switch is a Linksys WRT54GS with DD-WRT installed on it. I think that placing the machine between the router and the switch would allow faster monitoring, but if the machine goes down for some reason then won't my whole LAN lose its connection to the internet? If the machine is plugged into a port on the switch then I can tinker with the server without affecting my other devices, but I may have to limit the logging it does in order to keep up with network traffic.

Do I really need Snort to protect myself? Can consumer home networks be probed from across the Internet? I have DSL, so my connection goes through my local ISP's network. I know that ISPs have some protection in place to guard them and their customers, but I don't really know specifically what kind of incoming traffic they block or mitigate. If I have Snort behind my firewall, will it catch any incoming traffic at all? How useful is it for monitoring my regular web surfing?

Do I really need Wireshark to monitor outgoing traffic, or is it overkill? I've used Wireshark to monitor WiFi traffic, I understand it's usefulness there. I've read that it's also useful to capture all outgoing traffic on my network so that I can watch for things like trojans or viruses trying to call out to malicious websites. Won't Snort do this, though? Do I gain any advantage by using Wireshark along side Snort?

Is Squid worth taking the time to learn if I'm just getting started in my networking career? I don't really need to filter anyone's traffic, I just want to pull off upside-down-ternet.

Any feedback is welcome. I'm trying to get a better idea of what I need to do before I dive in and start installing and configuring everything because I don't have a lot of free time.

Derelict

@jennywilliams said in I want to use Snort, Squid & Wireshark on my home network but not sure where to place them, or even if they're really needed, plus other questions. Advice?:
snip

Is Squid worth taking the time to learn if I'm just getting started in my networking career? I don't really need to filter anyone's traffic, I just want to pull off upside-down-ternet.

If that is important to you then, yes, you should learn squid.

Any feedback is welcome. I'm trying to get a better idea of what I need to do before I dive in and start installing and configuring everything because I don't have a lot of free time.

Neither does anyone else. Please re-read the above post and consider how much time it would take for someone to answer all that.

johnpoz

@derelict said in I want to use Snort, Squid & Wireshark on my home network but not sure where to place them, or even if they're really needed, plus other questions. Advice?:

how much time it would take for someone to answer all that.

And then he/she might just delete the whole thread.. if doesn't like the answer or gets what they want.. So sure and the F wouldn't spend more than a few seconds on a response.

Posts that are wall of text don't normally get much responses... While responses can sometimes get long.. You prob have better luck in drawing attention with simple to the point questions you might have.. For example start with just snort, or squid, or wireshark asking how best to leverage vs all of it at once.