Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort documentation

From: Erek Adams <erek () snort org>
Date: Sun, 25 May 2003 11:12:57 -0400 (EDT)
On Fri, 23 May 2003, Michael Conlen wrote:


I'm looking for some documentation, if it's been written on setting up
snort between a switch and a host... ...some background.

I've got hosts connected to a switch. Each host is doing something
around 40-70Mbit per second. I'd like to setup a snort box between each
of these and the switch in such a way that no one knows they are there.
My idea is to setup the box with three interfaces (one, two and three).
Interface one connects to the switch, interface two connects directly to
the host. Interface 3 connects to a network somewhere so I can login. I
would like to set it up so that interface 1 and 2 are not configured in
the OS for any stacks, and just let snort read packets from interface
one and dump them on two, and visa versa, then generate warnings which
would get sysloged somewhere through interface three.

I had thought this was possible at some point (years ago) but I didn't
see it anywhere in the documentation. Can someone point me in the right
direction?


Yes, it's possible.  It all depends on what you want to do.  You can set
up a 'stealth' interface (FAQ 3.1), use a ReadOnly Cable (FAQ 3.2), or use
a network tap [0].

I'd use a combination of R/O Cables and Stealth if you're trying to save
money.  If you can spend money, use the taps.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.netoptics.com/11.html



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: