Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Implementation

From: "Jeff Pricher" <jeffpricher () yahoo com>
Date: Tue, 7 Oct 2003 17:45:37 -0500
Have a look at Erek Adams' site.
http://www.theadamsfamily.net/~erek/snort/ids_placement.txt
You do not have port mirroring enabled in your switched environment so you are only going to see broadcast traffic and 
traffic directly to or from your snort box.
  ----- Original Message ----- 
  From: Adam Towarnyckyj 
  To: snort-users () lists sourceforge net 
  Sent: Tuesday, October 07, 2003 4:01 PM
  Subject: [Snort-users] Snort Implementation


  Howdy all,

              I'm new to the Network Operations field and I just recently started working at an ISP. I've used Snort in 
the past, and was wondering what various forms of implementation other network admins use for Snort. Like, do you use a 
dedicated Snort server and have all traffic routed through it first? Do you park it somewhere on the network and set 
the Home and External net variables?

              I'm just wondering because recently I set a server up here to use Snort. I have it sitting in the server 
room hooked up to our master switch. I set the variables for the external network and the internal network but I'm not 
getting NEARLY the amount of traffic I thought I would be. Like, I know many of our users here use Kazaa but I get no 
Kazaa alerts whatsoever. I DO get alerts, but mostly alerts coming from our going to the server IP that Snort is 
running on. I've gotten a few other alerts but not many at all.

              So I was also wondering if this setup is poor implementation and if there is a better way of doing this. 
I mean, obviously putting two network cards on this server and hooking one to our router and one to the switch would be 
best. I'd catch ALL traffic coming in and going out. However, this would be a weak point in our network and if this 
server failed in some way, we'd lose everything. Plus, they won't let me do that. J

              If anyone can help me out with some suggestions, I'd appreciate it. I've received emails from other 
network admins telling us of activity originating from our network and they include Snort logs as proof. I'd like to be 
able to do this myself in the best possible manner without causing a bottleneck. Thanks!

   

  Adam Towarnyckyj

  Network Operations

  CommSpeed

  http://www.commspeed.net/

  Phone: 928-772-1111 x131
Previous By Date Next
Previous By Thread Next

Current thread: