Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort behind host's firewall

From: "Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>
Date: Fri, 8 Jun 2001 09:08:43 -0700
Radu,

  I think you already answered your question.. Put snort behind YOUR
firewall.  If snort is behind your firewall (assuming it is in front of only
your servers and passing traffic to/from your servers only), snort should
not hear anything from the other servers.  

If the firewall is shared with the "other guys", you're probably on a switch
(at least, I'd expect a co-lo to put you on a switch), so you shouldn't see
most of their traffic (maybe some ARP/chatter that is easily ignored).

You're better off not having snort 'ignore' the other guys by IP, since this
wouldn't detect things like smurf attacks or if their boxes were breached
and were being used to attack the subnet..

/Dan Hawrylkiw


-----Original Message-----
From: RoBSD [mailto:robsd () softhome net]
Sent: Friday, June 08, 2001 1:14 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort behind host's firewall


Hello,
And sorry if I ask a question that has already a answer on the list!
I want to deploy 4 servers on one collocation center and my servers
will be in one network with servers that are not ours and I don't want
to provide IDS for them. So, if it's possible to configure snort to
not use promiscuous mode and to analyze only packets that pass through
my firewall. I know that I can use "-h IP" but on 2 servers I will
have multiple IP's (more than 20) and for this I will have to add for
every new IP a new configuration! And in the same time I want to spare
same CPU time and only analyze what pass the firewall!

Thank you for your response!

Radu Coroi
  

-- 
Best regards,
 RoBSD                          mailto:robsd () softhome net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: