Honeypots mailing list archives
Re: honeypot+ids?
From: Jose Nazario <jose () monkey org>
Date: Mon, 11 Aug 2003 15:05:02 -0400 (EDT)
On Mon, 11 Aug 2003, Patrick Dolan wrote:
I find it easiest to set up the router/switch as a computer rather than just a piece of hardware. OpenBSD, for instance, has good capabilities for packet filtering. With this method, you can run the IDS on the router and have it listen to the internal interface. I've used OpenBSD in combination with Snort for this scenario and it works well.
log all packets that come through and have snort listen on pflog0 or use
the pf command "dup-to" to duplicate packets to the sensor. easy as pie.
___________________________
jose nazario, ph.d. jose () monkey org
http://monkey.org/~jose/
Current thread:
- honeypot+ids? Kostas K (Aug 11)
- Re: honeypot+ids? Patrick Dolan (Aug 11)
- Re: honeypot+ids? Jose Nazario (Aug 11)
- <Possible follow-ups>
- Re: honeypot+ids? Kostas K (Aug 13)
- Re: honeypot+ids? Patrick Dolan (Aug 11)