Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS and HoneyPot placement in LAN

From: Joe Pampel <jpampel () paladyne com>
Date: Wed, 16 Jun 2010 11:43:48 -0400
I'd say one of the simplest would probably be span the switch port where the Honeypot is connected.
The span port would feed an unnumbered interface on the snort sensor. This way you
get only traffic bound to/from the honeypot (+ bcast).
The IDS sensor should not be visible this way.
The IDS host should also have a mgt interface.
The IDS management interface can be connected anywhere you want it.
A dedicated "security" vlan protected with proper ACL's etc. being one of the better options.

The honeypot should go wherever it makes the most sense in your situation. That all depends on what you're trying to do.
Maybe you can spell out your goal here a bit? Looking for internal miscreants or collecting attacks from the 'net or ?

jm2c, ymmv, and the usual disclaimers apply.

________________________________________
From: Quentin Ducas [quentin.h4c () gmail com]
Sent: Wednesday, June 16, 2010 11:26 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] IDS and HoneyPot placement in LAN

I apologize for the newbie question, but what is the best placement for the IDS and the HoneyPot in the LAN?

I want to monitor a HoneyPot with the IDS (snort) [u]without[/u] monitoring the complete LAN. Want to monitor just one 
machine.
What should be the best placement for HoneyPot and IDS for this situation.
The HoneyPot is a so called 'research-honeypot' so it is not used for security-reasons.

Do I have to place the HoneyPot and the IDS in a DMZ?
Or is it better to place the IDS between modem and router, and the HoneyPot in a DMZ?
Or is it not necessary to have a DMZ and can I place the HoneyPot between modem and Router and the IDS in the LAN?
Do I need a switch to make a separate network for this?
Or maybe something else?

ergo: What is the best placement for both systems?

Thanks in advance,
Quentin


The information contained in this correspondence is intended solely for the person or entity entitled to receive the 
confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone 
other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, 
please destroy and/or delete this correspondence and the attachment(s).

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: