[Snort-users] Multiple IP address matching
gbinder at ...462...
Thu Sep 21 03:11:15 EDT 2000
Kris Kennaway on Wed, Sep 20, 2000 at 06:23:26PM -0700:
> For my purposes, I have a number of machines which are part of a
> larger class B subnet (not contained within a smaller address block),
> and I want to be able to treat other machines on that class B as being
> external. I don't think there's any current way to do this, which
> means I either have to put up with snort traffic between my "internal"
> machines being logged as suspicious, or trust the entire class B and
> hope no-one else is poking at my machines.
> Does anyone have any suggestions?
if the untrusted machines are in the same switched segment, put one
interface of your sensor on the monitor port of this switch and use
"snort -i interface".
Make sure if your sensor can keep up with the amount of traffic on a
busy (I guess 100Mbit?) network without dropping packets.
Hope this helps,
Gregor Binder <gbinder at ...462...> http://www.sysfive.com/~gbinder/
sysfive.com GmbH UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 234 bytes
Desc: not available
More information about the Snort-users