Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ideal setup

From: twig les <twigles () yahoo com>
Date: Fri, 9 Aug 2002 09:43:31 -0700 (PDT)
However unless you mirror the port on your switch,
your firewall/snort box won't see internal -> internal
traffic.  If you miss the initial attack, then all the
nasty stuff that follows will get past silently. 
Also, since the firewall is already a potential
chokepoint, do you want to burden it with many
potential L7 packet examinations and TCP stream
reassemblies?


--- Kevin Brown <Kevin.M.Brown () asu edu> wrote:

Then (if snort doesn't have this already) maybe
snort should be used in
non-promiscuous mode if it is run from the firewall
because all the traffic
destined for your network has to go through the
firewall.

-----Original Message-----
From: Keith Young [mailto:kyoung () v-one com]
Sent: Wednesday, August 07, 2002 2:29 PM
To: robert () support4linux com
Cc: quentyn () fotango com;
snort-users () lists sourceforge net
Subject: Re: [Snort-users] ideal setup


Robert Cole wrote:


Ok lets go for a not so dream setup. How about

snort running on the
firewall 

machine and sending its logs to a syslog server.

That a decent setup if
the 

syslog server is heavily protected as well?


Robert,

I wouldn't run Snort on the firewall for two
reasons:
      * Snort will put the interfaces into promiscuous
mode
      * running extra services usually isn't a good idea

What about running a Snort box outside and a Snort
box inside which 
sends log data to the syslog server in the DMZ?

-- 

-- 
--Keith Young
-kyoung () v-one com






-------------------------------------------------------

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users





=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: