Re: Using SNORT for Internal IDS

[Erek Adams <erek () snort org>]

On Tue, 24 Jun 2003, Pankaj Gupta wrote:

> I am not sure if Snort can be used to monitor internal attacks or intrusion
> activities. Also, can I use two copies of Snort (installed on two separate
> servers), one to monitor the external port outside my firewall and the other
> to monitor specific internal ports for signature matches. Does anyone have
> any experience, inputs or documentation on this matter? Thanks.

Snort can be used for any type of detection.  It all depends on where you
place it and what you want to see.

You can use as many copies as you want.  It doesn't care that you're using
more than one.

All it takes is the correct physical placement, and the correct setting of
your HOME_NET/EXTERNAL_NET.

Check out the placement docs on Snort.org.  They have a lot of useful info
in them.  You might also want to check out this [0].

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.theadamsfamily.net/~erek/snort/ids_placement.txt


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users