Re: newbie to snort

[Erek Adams <erek () theadamsfamily net>]

On Thu, 2 Aug 2001, jevon wrote:

> I am about to install snort on my network and I have a few questions.

You'll be glad you did...  And you'll be a bit scared...

> 1. I was putting a few snort boxes on my network on in front of the
> firewall and a few other places.  My question is if I want to my snort box
> stealth I read in snort faq, to make an receive-only cable.  If I don that
> how will I be able to send stats via email?  What should I do?

Two options:
1)  Second nic on a private net
2)  Serial cable going to a console server, and do a "cat alerts"

> 2. I was going to plug one of my snort box in to a switch, will this work
> ok? the switch is a 3com linkswith 500.

No.  Not unless the switch can mirror traffic to one port, or that it has a
'monitor' port.

> 3. Also if I build a box with 2 or 3 nic in it, will this help the snort
> box to capture all the traffic to insure no lost packets?

Ehhhh...  Well...  It could help monitor different nets, but as increasing
performance--not really.  You're burning more cycles running more instances or
you could get saturated quicker.

> 4. Also, if I use a 486 DX with 64megs of memory, when that be ok on a
> 100mb and 10mb network?

Depends on your sustained traffic.  This has been hashed and rehashed on the
list.  Take a look at the FAQ.  It discusses this in some detail.  Check
http://www.snort.org/ and click 'FAQ' on the left.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users