Snort mailing list archives

Re: snort placement

From: "Subba Rao" <sailorn () attglobal net>
Date: Mon, 5 Aug 2002 10:11:22 -0500

Hello neptuna,

Here is my setup.

                                                                Cable Modem 
                                                                    |
                                                                |
..........(Nic 3)...........Dlink switch
|                                                                   |
|                                                               |
|                  ------------------------------------------------
|                  |                                 |           |                         |
|       Router/FW/Snort       Comp1  Comp2   Comp3
........(3 NICs)

Nic 1 is the gateway to the Internet. (Router/FW). Snort cannot listen on this Nic.
Nic 2 is the gateway to my LAN.  This is the trusted Nic.
Nic 3 is the promiscuous NIC listening to the traffic coming in. Snort is listening on this Nic 3.

For the Snort Nic, use a good Nic like 3Com, which is believed not to drop as many packets as a NE2K Nic.

Suggestions for Nic 3 - Do not set any IP address for the Nic
                                                                          Do not broadcast the ARP address.

Hope this helps. Good luck.

Best regards.                            
Subba Rao
sailorn () attglobal net
2002-08-05


======= At 2002-08-05, 02:19:00 you wrote: =======

Hi

I am new to snort. I have a simple home LAN, with a Cable modem and a
linux box acting as a Router/ FW.  I have 3 machines on the inside. All
are connected to a cheap little D-link switch. Is my only option to put
snort on the Linux Router/FW ? 
I have read the FAQ concerning this but i am still not sure. Any
suggestions or pointers to more documentation is appreciated.

Thanks






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


= = = = = = = = = = = = = = = = = = = =





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: snort placement, (continued)
- - - Re: snort placement Nicholas Bachmann (Aug 04)
    - Re: snort placement David Yip (Aug 04)
    - Re: snort placement Christopher Cook (Aug 04)
    - Re: snort placement neptuna (Aug 04)
    - Re: snort placement Andreas Östling (Aug 04)
    - Re: snort placement neptuna (Aug 04)
    - Re: snort placement Christopher Cook (Aug 04)
    - Re: snort placement neptuna (Aug 04)
- Re: snort placement J. Craig Woods (Aug 04)
  - Re: snort placement neptuna (Aug 04)
- Re: snort placement Subba Rao (Aug 05)
  - Re: snort placement neptuna (Aug 05)