Re: Install location

[Seth Art <sethart () gmail com>]

For Home use you should be perfectly fine installing snort on an
existing client.  I am running Fedora Core 3 at home with snort, ntop,
apache, and an ftp server on a P3 500mhz machine and it seems to
handle the load quite well.  If you are not dealing with tons of
traffic at home you should be fine with buying a hub(make sure it is a
100mb hub)  and plug the wireless router and all your machines into
the hub.

 So.  Cable/DSL --> router/wireless router -> Hub. And then plug all
your other computers into the hub as well.  If you have router but an
Wireless AP you should plug your AP into the hub also.  This will
replicate all traffic to all the ports, which in theory slows you down
but if your not doing many LAN transfers you shouldn't really notice
any performance impact.  I don't at least.  The hub I am using is a
Netgear 100mb that i got for about 40 bucks.

Lastly one of the ports on the hub should goto a second interface on
your snort machine.  As far as how to configure this interface have it
sniff while everything else from the client uses your original
interface, there is a thread started today or yesterday (multi-homed)
which hits it on the head.

Another configuration is to put Cable/DSL into the hub, router into
the hub, and have all the clients (including the WAP) into the router,
except the sniffing interface on the snort machine which will also be
plugged into the hub.  This is like putting your snort sensor at work
outside the firewall.  You wil not see 192.x.x.x address, you will see
only your public IP address as the destination for all of the
machines.  (I think, that maybe have just been ntop).

This option will not affect LAN transfers at all far as performance AFAIK.  
 
I am still fairly new to snort, linux, and all of this so if anyone
has seen any errors in my advice or what i am doing i would love to
hear them as well.  I hope I helped.

-Seth



On Thu, 13 Jan 2005 15:28:24 +0100, Eckhardt Newger <enewger () gmx de> wrote:
> I'm thinking of giving Snort a try on my small home wireless LAN which
> connects through a router/switch to the Internet.
>
> I've read through many installation guides. All of them recommend to
> install Snort to a dedicated PC if I understood it right. But I do not
> want to install additional hardware for Snort (at least not at the
> moment). So my question is: Is it feasible/possible to install Snort on
> an already existing client, and how should I do it (separate NIC,
> unbound (how on a Win XP Pro system?))? Do I loose any functionality
> with this kind of installation?
>
> Many thanhs in advance for any advice.
>
> Eckhardt Newger
>
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users