Snort mailing list archives
Re: Placing Snort
From: "Bill Parker" <dogbert () netnevada net>
Date: Wed, 1 Sep 2004 09:06:54 -0700
----- Original Message ----- From: Chandana Bandara To: Snort Sent: Wednesday, September 01, 2004 2:30 AM Subject: [Snort-users] Placing Snort hi I implemented snort in this way Internet ---------------> Router -----------------------> Firewall ---------------------> Snort--------------------> switch -----------------> LAN Well, from what you have above, I assume you have snort sitting on a switch port which is mirroring traffic to/from firewall, and this is the way most people set it up (though there are many ways things like this can be set up). You want to make sure that whatever NIC you have plugged into this port is in promisc. mode (so it can see all traffic), and even better, if the NIC can be enabled w/out an IP address (prevents the sensor from reacting to traffic from the NIC itself). Another method would be to make a cat-5 cable which only has the receive pins connected (no transmit) on the side which goes to the computer running snort (this ensures that snort can ONLY listen to traffic and never send anything, even by accident). Bill
Current thread:
- Placing Snort Chandana Bandara (Sep 01)
- Re: Placing Snort Matt Kettler (Sep 01)
- Re: Placing Snort Bill Parker (Sep 01)
- Re: Placing Snort Jose Maria Lopez (Sep 01)