Snort mailing list archives

Re: Placing Snort

From: "Bill Parker" <dogbert () netnevada net>
Date: Wed, 1 Sep 2004 09:06:54 -0700

  ----- Original Message ----- 
  From: Chandana Bandara 
  To: Snort 
  Sent: Wednesday, September 01, 2004 2:30 AM
  Subject: [Snort-users] Placing Snort

  hi

  I implemented snort in this way 

  Internet ---------------> Router -----------------------> Firewall ---------------------> Snort--------------------> 
switch -----------------> LAN

  Well, from what you have above, I assume you have snort sitting on a switch port which is mirroring traffic to/from 
firewall, and this is the way most people set it up (though there are many ways things like this can be set up).  You 
want to make sure that whatever NIC you have plugged into this port is in promisc. mode (so it can see all traffic), 
and even better, if the NIC can be enabled w/out an IP address (prevents the sensor from reacting to traffic from the 
NIC itself).  Another method would be to make a cat-5 cable which only has the receive pins connected (no transmit) on 
the side which goes to the computer running snort (this ensures that snort can ONLY listen to traffic and never send 
anything, even by accident).

  Bill

Current thread:

Placing Snort Chandana Bandara (Sep 01)
- Re: Placing Snort Matt Kettler (Sep 01)
- Re: Placing Snort Bill Parker (Sep 01)
- Re: Placing Snort Jose Maria Lopez (Sep 01)