RE: Placement of Snort IDS

["Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>]

Place your Snort box on the switch, and span the port it is on. It will then
sniff all traffic passing through the switch. The Snort sensor is not setup
as a gateway.

Snort is used to alert and log certain packets, it does not drop them based
on a rule. Though whoever told you that it drops packets was probably
referring to the flexresp option, where you can send tcp resets based on a
rule being triggered.


Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com



-----Original Message-----
From: Kenny D [mailto:bitored2002 () yahoo com au]
Sent: Wednesday, April 10, 2002 12:04 PM
To: snort users
Subject: [Snort-users] Placement of Snort IDS


Hi,

I need to know  where to place a snort ids in a
switched environment. Is it setup with a promiscuous
mode port and port mirroring configured in the switch?
Or is it setup to have all traffic pass through it so
that it would act as a default gateway between
servers/users and the firewall?

Someone told me that snort can drop packets if there
is a rule matched, im not so sure. I thought snort
logged not dropped. Thats why i have begun to rethink
its placement. Who is right or wrong?

Thanks.

http://www.sold.com.au - SOLD.com.au Auctions
- 1,000s of Bargains!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users