[Snort-users] Newbie Alert!

Ian Campbell ianc at ...1500...
Thu Mar 8 13:23:41 EST 2001

Excellent links that I hadn't found. Thanks for the tips Shawn!


-----Original Message-----
From: shawn . moyer [mailto:shawn at ...1184...]
Sent: Wednesday, March 07, 2001 7:09 PM
To: Ian Campbell
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Newbie Alert!

Ian Campbell wrote:
> I'd like to play with a Snort box here at the office to monitor our
> connection outside the firewall. Since I know nothing about *nix, I'd like
> to do this on NT, so I downloaded the Win32 port and pcaplib, begged an
> intel box off my boss, and am ready to get started. Based on some of the
> posts I've read here, I was thinking about putting two NIC's in the box
> connecting one to my internal LAN, and connecting the other (without IP
> address) to the hub between our IA router and FW. Does this sound like a
> recommended configuration in terms of security, etc?

Cut the transmit leads. :) 'Course I'm paranoid.
> I plan to strip the NT OS down before installing this stuff in the same
> manner as one would prior to installing, say, a Checkpoint FW on NT. I
> want to dink around with it a litte before attempting anything wild like
> logging to a DB, or installing preprocessors, etc.

Well, you probably will want to at least set up WinPerl and SnortSnarf
so you can see your logs and packet captures in a more readable format.
> Can anyone just tell a poor novitiate if he's on the right track and offer
> some commentary, or point me to a 'getting started' faq somewhere
> (preferably with the emphasis on NT) that I could take a look at before
> jumping in.

This should get you on the right track, part II just came out as well.



s h a w n   m o y e r
shawn at ...1184...

The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

					-- Zelazny

More information about the Snort-users mailing list