[Snort-users] duplicating traffic to snort box

shawn . moyer shawn at ...1184...
Tue Mar 6 12:19:02 EST 2001


Scott Johnson wrote:
> 
> I've got snort running on my FreeBSD gateway right now, but I'd like to
> have snort on a separate box. I'm using ipfw, but I can't see a way to
> duplicate the traffic to another interface (with no IP address) so I'm
> considering switching to ipf and using dup-to. Is there another way? How
> do linux users do this?

Why not just drop a hub or an ethernet tap in front of the gateway box? 
You can then build a multihomed snort box with the outside interface
unnumbered and the inside interface on the internal network. If this
makes you nervous, drop IPfilter on the Snort box and / or cut the
transmit leads on the cable for the outside interface. This would be the
more or less traditional way to set up NIDS for the outside.

The only other answer I can think of (other than dup-to) would be to set
up bridging on the gateway box, which more or less amounts to the same
thing.



--shawn

-- 
s h a w n   m o y e r
shawn at ...1184...

Man will occasionally stumble over the truth,
but most of the time he will pick himself up and continue on.

                                        -- Churchill




More information about the Snort-users mailing list