Re: snort placement

[Andreas Östling <andreaso () it su se>]

On Sun, 4 Aug 2002, Nicholas Bachmann wrote:

> The best way would be to get a tap (I know, you probably don't care to spend that much on a home IDS
> system. Can anybody guess how much a cheap tap would cost for this?) or a hub and set it up like this:
>
> CM -- Router/FW/Snort -- Switch
>        \
>          \ _ Snort

You can often also instruct your firewall to send an extra copy of all
(or just the selected) packets out to another interface where you have a
Snort box listening.

In OpenBSD for example, you can use PF's "dup-to" option to achieve
this (or if running in bridged mode, "addspan").

I'm sure this is possible on Linux and other systems as well.
Really nice if you don't want to run any extra processes on your firewall,
for performance/security reasons etc.

Regards,
Andreas Östling



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users