[Snort-users] Newbie Questions

jan at ...206... jan at ...206...
Mon Jun 18 12:20:38 EDT 2001


> traffic behind our firewall first. I plan later to add another
> server
> outside the firewall once I get a good grasp on what I am
> doing and seeing.

Hm. One could probably argue, but for me personally I found it
more educative to watch just about everything that hit my
externaö subnet when I started toying around with snort. Thus, I
plugged the snort box in a hub, together with the firewall. It's
nice to have a second sensor behind the firewall, but with a
'parallel' setup you get to see a lot of traffic that would
otherwise look pretty boring in the 'block logs' of your
preferred firewall. 

I got the advice for the first setup from Dominiq Brzinski from
Amazon, who doesn't seem to be on the list anymore...?! Anyway,
do as I did: Simply bring the 'sniffing' interface up, i.e. do
not assign an IP address to it. Snort brings it into promiscuous
mode, so every ethernet frame will cause an interrupt and you'll
get all the frames received by the NIC. Thus - you'll be able to
see what's coming in without being visible layer 3 wise. 

For extra paranoia compliance, built a 'read-only' cable, which
has only the RX-wires connected. I've done this, but it's months
ago and I can't remember the layout :-% 

Anyway, hope it helps. The USAGE file that comes with snort is a
great place to start btw., so is the entire info on the website. 


Cheers, Jan

-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...




More information about the Snort-users mailing list