Snort mailing list archives
RE: Using SNORT for Internal IDS
From: "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>
Date: Wed, 25 Jun 2003 08:24:36 -0500
Sure, Snort can be used anywhere you please - internal, external, or
otherwise. You may have as many copies of snort running as you please,
on as few or as many machines as you please - it's open source and free.
When converting from 1.9 to 2.0, I even had both versions running
simultaneously on the same box with no issues.
All you need to do is customize the rules files and conf file for each
location. There's really no documentation _specifically_ about doing
this, because none is necessary.
Andrew
Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856
-----Original Message-----
From: Pankaj Gupta [mailto:pgupta () interloci com]
Sent: Tuesday, June 24, 2003 3:17 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Using SNORT for Internal IDS
I am not sure if Snort can be used to monitor internal attacks
or intrusion activities. Also, can I use two copies of Snort (installed
on two separate servers), one to monitor the external port outside my
firewall and the other to monitor specific internal ports for signature
matches. Does anyone have any experience, inputs or documentation on
this matter? Thanks.
Pankaj Gupta
Current thread:
- Using SNORT for Internal IDS Pankaj Gupta (Jun 25)
- Re: Using SNORT for Internal IDS Erek Adams (Jun 25)
- Re: Using SNORT for Internal IDS Bryan Irvine (Jun 25)
- <Possible follow-ups>
- RE: Using SNORT for Internal IDS Hutchinson, Andrew (Jun 25)
- Re: Using SNORT for Internal IDS Erek Adams (Jun 25)