Re: snort placement

[neptuna <neptuna () neptuna org>]

On Sun, 2002-08-04 at 15:57, Christopher Cook wrote:
> what you can do, and what I have setup, is Snort is invisible to 
> everything else.  So take my setup at home right now.
>
> CM ----> Snort ----> Router/FW ----> Snort ----> hub ----> computers.
>
> Both snort boxes are address-less and store the data locally in a mySQL 
> database with output to ACID to make it all pretty and nice.  This way 
> they capture all the traffic, but there's nothing there to give them 
> away as being Snort boxes.  So you would take your Cable Modem, plug it 
> into one NIC of the Snort, and then connect the other NIC to Router.   
> The same thing is done with the inside one, except you connect the 
> router to Snort and Snort to the switch.

hmm, that sounds ok. So i would not be assigning an IP address to the
interfaces on the snort boxes? 

> As someone else pointed out, hooking into the switch more than likely 
> won't capture traffic as the switch doesn't broadcast to all ports.  If 
> you can turn your switch into a hub, then this would work.

assuming I can't get port mirroring on this switch, i do have a hub here
that i can use.

Thanks again

 




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users