Re: snort placement

[Christopher Cook <crcook () oakland edu>]

Yeah, what he said.  Gotta snap out of work mode sometimes. :-)



David Yip wrote:

> Hey guys, be realistic! It's just a home network. Forget about tap or 
> port mirroring, either install on the gateway or use a hub. No matter 
> how cheap the DLink is, it's still a switch, you'll need a hub. It 
> won't hurt to use a hub since your traffic will not exceed 10-20MB on 
> a cable connection. In my opinion, putting it on the internal segment 
> should be a better solution for your situation since it will save you 
> a lot of time and concentrate only on the critical alerts that have 
> come into your network. Trust me, there are a lot of scanning going 
> on, and you won't want to see thaem all, let the firewall do its job.
>
> At 03:34 5/8/2002, Nicholas Bachmann wrote:
>
> > neptuna wrote:
> >
> > > > Snort can be placed in many areas:  Probably the most
> > > > beneficial would 
> > > > be in front and behind the router/FW, this way you know what you're 
> > > > being attacked with and what's getting through the FW.
> > > >   
> > > >        
> > >
> > > Actutally I did try to install snort a few months ago and I placed it 
> > > on
> > > one of the boxes on the inside (a RH 7.2) box. However it did not
> > > capture any traffic.
> > >      
> > If it's really a switch, you should only see traffic to and from that 
> > port on the switch.  You should see if it is possible for you to set 
> > up mirroring on the switch, otherwise put Snort on the router/FW (get 
> > a cheap x86 box) monitoring your internal interface.
> >
> > >      
> > >
> > > > CM ---- Snort --- Router/FW --- Snort ---- Switch ---- computers.
> > > >   
> > > >        
> > >
> > > Let me understand:
> > > CM -> Snort box plugged into the Ethernet jack of modem -> [ this
> > > is
> > > where i am confused ] Snort box hooked into the Router [ but how ?]
> > > ->
> > > snort box UPlinked to switch -> Switch to internal
> > > computers?
> > The best way would be to get a tap (I know, you probably don't care 
> > to spend that much on a home IDS system. Can anybody guess how much a 
> > cheap tap would cost for this?) or a hub and set it up like this:
> >
> > CM -- Router/FW/Snort -- Switch
> >        \                                                
> >          \ _ Snort
> >
> > A good question also becomes wheter putting a Snort box on the 
> > outside is really worth it... it's fun to have just to see what 
> > you're deflecting, but is it really needed, or on a large network, 
> > viable?
> >
> >
> > --
> >        Regards,
> >        Nick
> >
> >        Nicholas
> > Bachmann, SSCP
> >        Tech
> > Department
> >        Davison
> > Community Schools
> >
> >
> >    
> >
> >
> > ------------------------------------------------------- This sf.net 
> > email is sponsored by:ThinkGeek Welcome to geek 
> > heaven.http://thinkgeek.com/sf 
> > _______________________________________________ Snort-users mailing 
> > list Snort-users () lists sourceforge net Go to this URL to change user 
> > options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> > list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>
>
> --
>
> David Yip





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users