Snort mailing list archives
Re: Snort Implementation
From: "Jeff Pricher" <jeffpricher () yahoo com>
Date: Tue, 7 Oct 2003 17:45:37 -0500
Have a look at Erek Adams' site. http://www.theadamsfamily.net/~erek/snort/ids_placement.txt You do not have port mirroring enabled in your switched environment so you are only going to see broadcast traffic and traffic directly to or from your snort box. ----- Original Message ----- From: Adam Towarnyckyj To: snort-users () lists sourceforge net Sent: Tuesday, October 07, 2003 4:01 PM Subject: [Snort-users] Snort Implementation Howdy all, I'm new to the Network Operations field and I just recently started working at an ISP. I've used Snort in the past, and was wondering what various forms of implementation other network admins use for Snort. Like, do you use a dedicated Snort server and have all traffic routed through it first? Do you park it somewhere on the network and set the Home and External net variables? I'm just wondering because recently I set a server up here to use Snort. I have it sitting in the server room hooked up to our master switch. I set the variables for the external network and the internal network but I'm not getting NEARLY the amount of traffic I thought I would be. Like, I know many of our users here use Kazaa but I get no Kazaa alerts whatsoever. I DO get alerts, but mostly alerts coming from our going to the server IP that Snort is running on. I've gotten a few other alerts but not many at all. So I was also wondering if this setup is poor implementation and if there is a better way of doing this. I mean, obviously putting two network cards on this server and hooking one to our router and one to the switch would be best. I'd catch ALL traffic coming in and going out. However, this would be a weak point in our network and if this server failed in some way, we'd lose everything. Plus, they won't let me do that. J If anyone can help me out with some suggestions, I'd appreciate it. I've received emails from other network admins telling us of activity originating from our network and they include Snort logs as proof. I'd like to be able to do this myself in the best possible manner without causing a bottleneck. Thanks! Adam Towarnyckyj Network Operations CommSpeed http://www.commspeed.net/ Phone: 928-772-1111 x131
Current thread:
- Snort Implementation Adam Towarnyckyj (Oct 07)
- Re: Snort Implementation Jeff Pricher (Oct 07)