[Snort-users] Newbie Questions

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Mon Jun 18 12:51:25 EDT 2001

My opinion is, I know that I will see a ton of attacks OUTSIDE my firewall,
so I am not as concerned about watching that traffic as I am watching
traffic INSIDE my firewall (the traffic that I am purposely letting into my
network). For starters, I recommend a Snort sensor INSIDE the firewall, so
it is monitoring all traffic that you are specifically allowing into your
network. From there you can work on the bad stuff that is sneaking in. If
you are in a switched environment, you can setup a spanned port from the
internal firewall interface to your snort box. If your using hubs, just
plugin to the same hub as where the internal firewall interface is plugged
in. That's a good start.

Paul Sheahan
Manager of Information Security
paul.sheahan at ...2218...

-----Original Message-----
From: Tim Parker [mailto:hostmaster at ...2310...]
Sent: Monday, June 18, 2001 11:30 AM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Newbie Questions

I have just started to toy with SNORT and am curious about something. I
haven't found many good newbie instructions for configuring and placing a
"snort server" I have a linux box that I have set up in our office that can
see our web servers, firewall, etc. which is in a remote location connected
by a private T1. I would like for testing to be able to use this to monitor
traffic behind our firewall first. I plan later to add another server
outside the firewall once I get a good grasp on what I am doing and seeing.
Can any provide info, links etc. on how to set this up for testing? thanks.

Tim Parker

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list