Snort mailing list archives

RE: plz help

From: "Nick Duda" <nduda () VistaPrint com>
Date: Thu, 15 Jul 2004 08:52:02 -0400

More importantly would be BEHIND the firewall, not in front. You could
do it in both places but would see massive traffic before the firewall.
By putting the sensor behind the firewall you will capture traffic that
the firewall missed and all the traffic from your LAN out. I would span
the gateway port of the switch (the one that goes to the firewall) to
the port the snort sensor is on. If your switch doesn't allow for port
spanning (most Cisco Catalyst do) I would do the following:

 

Internet --> Router --> Firewall --> Hub (hang snort sensor off the hub)
--> Switch --> Lan

 

- Nick

 

  _____  

From: Chandana Bandara [mailto:chandana () dialogsl net] 
Sent: Thursday, July 15, 2004 8:20 AM
To: Nick Duda
Cc: Snort
Subject: Re: [Snort-users] plz help

 

Thanx u all that replied me . Now i rectified the problem with ur help
and it is working . thank u very much.

 

------------------------------------------------------------------------
---------------

 

where should i have to locate this snort box u all recomended ? i meant
against firewall ..and such .

 

internet --------> router -------> Firewall ------> switch ------> Lan.
as i shown in this example i would like to put this before the firewall.
am i correct ? if it is wrong can u all giude me plz ?

 

########################################################################
#########################################

 

when if snort receved strange hit , how can i block it by future attacks
? Is there any documentation to  for rules ?

 

Thank u 

 

chandana  

 

        ----- Original Message ----- 

        From: Nick Duda <mailto:nduda () VistaPrint com>  

        To: Chandana Bandara <mailto:chandana () dialogsl net>  ;
snort-users () lists sourceforge net 

        Sent: Wednesday, July 14, 2004 7:53 PM

        Subject: RE: [Snort-users] plz help

         

        Nessus, Retina, NMAP....etc Anything that can do massive pen
testing will make snort go crazy. Tools like these are required in a
security pro's toolbox

         

        
  _____  


        From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chandana
Bandara
        Sent: Wednesday, July 14, 2004 7:19 AM
        To: snort-users () lists sourceforge net
        Subject: [Snort-users] plz help

         

        hi , 

         

        I have installed snort perfectly in Red Hat Linux 9 box.ACID url
runs on the browser.

        i used ping command with huge paccket sizes to that snort
server. But there was no any alerts in the ACID. 

         

        So tell me , how do i check this from other clients ?

         

        plz help

         

        thanx in advance

        chandana

Current thread:

plz help Chandana Bandara (Jul 14)
- Re: plz help shashank . joshi (Jul 14)
- <Possible follow-ups>
- RE: plz help Harper, Patrick (Jul 14)
- RE: plz help Nick Duda (Jul 14)
  - Re: plz help Chandana Bandara (Jul 15)
- RE: plz help Nick Duda (Jul 15)