Snort mailing list archives
Re: Install location
From: "Eckhardt Newger" <enewger () gmx de>
Date: Fri, 14 Jan 2005 20:49:59 +0100
Hi Seth Art, Thanks for your reply. So it seems feasible to use an existing workstation for a snort installation. Fine. All my traffic is handled by a D-Link 614+: it acts as switch for my LAN clients, as AP for wireless LAN clients, and as router to connect to the Internet via a separate DSL modem. So do you see any need to additionally install a hub? Network traffic is moderate, so performance considerations don't have to be taken into account here. I*ve read somewhere that I might be obliged to do port brigding when using a switch. I must confess that I'm totally unclear about this. Finally, should I give Snort an Ethernet card on ist own to connect to the LAN, and, if so, how to avoid conflicts with the already installed Ethernet card used by the workstation for its normal network traffic? Any further hints are higly welcome. Best regards Eckhardt Newger -----Ursprüngliche Nachricht----- Von: Seth Art [mailto:sethart () gmail com] Gesendet: Freitag, 14. Januar 2005 18:49 An: Eckhardt Newger Cc: snort-users () lists sourceforge net Betreff: Re: [Snort-users] Install location For Home use you should be perfectly fine installing snort on an existing client. I am running Fedora Core 3 at home with snort, ntop, apache, and an ftp server on a P3 500mhz machine and it seems to handle the load quite well. If you are not dealing with tons of traffic at home you should be fine with buying a hub(make sure it is a 100mb hub) and plug the wireless router and all your machines into the hub. So. Cable/DSL --> router/wireless router -> Hub. And then plug all your other computers into the hub as well. If you have router but an Wireless AP you should plug your AP into the hub also. This will replicate all traffic to all the ports, which in theory slows you down but if your not doing many LAN transfers you shouldn't really notice any performance impact. I don't at least. The hub I am using is a Netgear 100mb that i got for about 40 bucks. Lastly one of the ports on the hub should goto a second interface on your snort machine. As far as how to configure this interface have it sniff while everything else from the client uses your original interface, there is a thread started today or yesterday (multi-homed) which hits it on the head. Another configuration is to put Cable/DSL into the hub, router into the hub, and have all the clients (including the WAP) into the router, except the sniffing interface on the snort machine which will also be plugged into the hub. This is like putting your snort sensor at work outside the firewall. You wil not see 192.x.x.x address, you will see only your public IP address as the destination for all of the machines. (I think, that maybe have just been ntop). This option will not affect LAN transfers at all far as performance AFAIK. I am still fairly new to snort, linux, and all of this so if anyone has seen any errors in my advice or what i am doing i would love to hear them as well. I hope I helped. -Seth On Thu, 13 Jan 2005 15:28:24 +0100, Eckhardt Newger <enewger () gmx de> wrote:
I'm thinking of giving Snort a try on my small home wireless LAN which
connects through a router/switch to the Internet. I've read through many installation guides. All of them recommend to install Snort to a dedicated PC if I understood it right. But I do not
want to install additional hardware for Snort (at least not at the moment). So my question is: Is it feasible/possible to install Snort on an already existing client, and how should I do it (separate NIC, unbound (how on a Win XP Pro system?))? Do I loose any functionality with this kind of installation? Many thanhs in advance for any advice. Eckhardt Newger ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Eingehende E-Mail ist virenfrei. Überprüft durch AVG Antivirensystem. Version: 7.0.302 / Virendatenbank: 265.6.11 - Ausgabedatum: 12.01.2005 ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Install location Eckhardt Newger (Jan 13)
- Re: Install location Seth Art (Jan 14)
- Re: Install location Eckhardt Newger (Jan 14)
- Re: Install location Seth Art (Jan 14)
- Re: Install location Eckhardt Newger (Jan 14)
- Re: Install location Eckhardt Newger (Jan 14)
- Re: Install location Seth Art (Jan 14)
- <Possible follow-ups>
- Install location Eckhardt Newger (Jan 13)
- Re: Install location Matthew K. Lee (Jan 13)
- Re: Install location Eckhardt Newger (Jan 18)