[Snort-users] 2 Qs: Snort and subnets + Linux stealth boxes

Daedalus daedalus at ...494...
Thu Sep 21 09:57:07 EDT 2000


Hi all,

I recently started playing with a pretty standard setup of Snort to monitor
what's going on on my network, but I've run into a bit of a snag with subnets.
I have a class C routed into one location via T1 where it is then split off
into smaller subnets which are routed back out T1s to different locations.
All of the locations are the same company and I would like to monitor traffic
to all the locations from one Snort installation. Does anyone have any
suggestions?  If I place the machine on the hub with the routers it has an
address still with the class C mask but the traffic I want to monitor now
has had it's mask changed by the incomming router so I can't see it.  Which
leads me to my second question.  In a list, I don't remember which one, a
guy was writing about using "stealth boxes" that were linux machine with
no IP address but were in promiscuous mode doing IDS and acting as logging
hosts. Does anyone know the location of any documentation about doing this
and will it work with Snort?

Thanks all,
-Bill




More information about the Snort-users mailing list