RE: Running 2 instances of snort

["Michael Steele" <michaels () silicondefense com>]

Archer,

Snort usually sets between the firewall and DMZ. If you have 2
interfaces, you place Snort on one interface and set it to promiscuous
mode and use the other interface as a management interface. You only
need one instance of Snort. You should only be interested in what comes
thru the firewall.

If your using the information for some kind of statistical purpose then
running Snort on the outside and inside may prove useful.

Anytime you run Snort on the outside of the firewall yoiur going to see
an enormous amount of alerts being triggered, and your going to have to
sort thru them.

Michael Steele | System Engineer / System Administrator     
mailto:michaels () silicondefense com
http://www.silicondefense.com

-----Original Message-----
From: Archer [mailto:archer () ironcomet com] 
Sent: June 14, 2002 10:25 PM
To: Michael Steele
Subject: Re: Running 2 instances of snort

Michael,

Thank you for your reply.

The reason for the 2 interfaces is as such. One will be in front of a
corporate firewall and another will be behind it. This way everything is
logged. If there is a penetration through the firewall, then snort
should be
able to get something.

We are using sniffer cables on both sides and any changes are done at
the
console.

Does this seem like solid logic on this? Or am I missing something?

Thanks again for your input and I will check out the link you sent.

Archer






_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users