Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Remote collection of data from a Snort sensor in stealth mode

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 16 Jan 2002 01:19:19 -0800 (PST)
On Wed, 16 Jan 2002, Ian Masters wrote:


Is there a way to remotely collect data from a snort sensor with 2 network
cards connected to the same hub, one without an IP to collect network data
in stealth mode and the other with an IP to allow collection of data
remotely, without the sensor being visible on the network.


Sure is!  :)


I can't see how this would be possible but a colleague of mine seems to
think that it is?


Well, YMMV, but it can be done fairly simply.


Is it?


Yes.  If you are using just two nics you've got two choices.

        One Stealth connected to the outside or inside of your firewall,
basically where-ever you want to watch.  The non-stealth interface connected
to the "management network" or "secure net".  This is where you would dump
your snort data to.  Either use barnyard to feed the data to a backend DB, or
use scp to drop off the snort.log files every so often and post-process the
data by running it through a snort process there on that box.

Does that make sense?  Or it just late?  :-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: