Snort mailing list archives
RE: Snort behind host's firewall
From: "Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>
Date: Fri, 8 Jun 2001 09:08:43 -0700
Radu, I think you already answered your question.. Put snort behind YOUR firewall. If snort is behind your firewall (assuming it is in front of only your servers and passing traffic to/from your servers only), snort should not hear anything from the other servers. If the firewall is shared with the "other guys", you're probably on a switch (at least, I'd expect a co-lo to put you on a switch), so you shouldn't see most of their traffic (maybe some ARP/chatter that is easily ignored). You're better off not having snort 'ignore' the other guys by IP, since this wouldn't detect things like smurf attacks or if their boxes were breached and were being used to attack the subnet.. /Dan Hawrylkiw -----Original Message----- From: RoBSD [mailto:robsd () softhome net] Sent: Friday, June 08, 2001 1:14 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort behind host's firewall Hello, And sorry if I ask a question that has already a answer on the list! I want to deploy 4 servers on one collocation center and my servers will be in one network with servers that are not ours and I don't want to provide IDS for them. So, if it's possible to configure snort to not use promiscuous mode and to analyze only packets that pass through my firewall. I know that I can use "-h IP" but on 2 servers I will have multiple IP's (more than 20) and for this I will have to add for every new IP a new configuration! And in the same time I want to spare same CPU time and only analyze what pass the firewall! Thank you for your response! Radu Coroi -- Best regards, RoBSD mailto:robsd () softhome net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort behind host's firewall RoBSD (Jun 08)
- RE: Snort behind host's firewall Jason Lewis (Jun 08)
- <Possible follow-ups>
- RE: Snort behind host's firewall Hawrylkiw, Dan G (Jun 08)