Snort mailing list archives
Re: Hardware/snort config question
From: "Marc Quibell" <mquibell () fbfs com>
Date: Wed, 23 Jul 2003 12:45:41 -0500
Hello! Yes, you must port mirror (or port span) on a switch. You will also need a second NIC for connection to the outside hub. Do you do 1-to-1 NAT? A class B block to NAT to? Seems excessive...
Message: 12 Date: Wed, 23 Jul 2003 10:13:11 -0700 From: "Richard Roy" <RoyR () justicetrax com> To: <snort-users () lists sourceforge net> Subject: [Snort-users] Hardware/snort config question This is a multi-part message in MIME format.> ------_=_NextPart_001_01C3513D.B1A964F8 Content-Type: text/plain;> charset="US-ASCII" Content-Transfer-Encoding: quoted-printable First of all, HUGE thanks to Patrick S. Harper for the doc to get snort going and some additional help! Second. I have a logistic question on how/where to put it and configure a few things to properly snort. I have a /16 of real IP addresses that are assigned to a hardware FW's external interface and NATted to the private internal 10's. The signal comes in from the ISP to a router then to a hub then to 2 different firewalls. One which has a single IP assigned to it for my wireless (separate network) and another that has the balance of the /16. The snort box is on the LAN which is all switched. How can I get all the stuff on the switch to be snorted? I'm thinking a port mirror or something right? Second, do I need to add a second NIC and attach to the HUB to see all the external traffic hitting the firewalls or not? My guess is yes or can I simply assign multiple IP's to the same nic (I'm running RH9)
For the internal net I gave the snort box 192.168.100.0/24 to scan that's correct right (assuming it has an address of 192.168.100.x/255.255.255.0) For external I gave it the /16 range of real ip's I have. Thanks in advance. Please excuse this if it is "off-topic" and reply off list if you can help.=20 Richard Roy Network Administrator JusticeTrax Inc 602-938-0059 x102 royr () justicetrax com
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hardware/snort config question Richard Roy (Jul 23)
- <Possible follow-ups>
- Re: Hardware/snort config question Marc Quibell (Jul 23)