[Snort-users] New to snort, need suggestion.

Keith Woodworth kwoody at ...2020...
Fri May 11 23:43:03 EDT 2001


Been looking over Snort the last couple of days as we've been discussing
putting an IDS on our network for the last little while.

Ive got a FBSD box that we use for MRTG stuff so I put Snort there,
compiled, installed perfectly but it did core a couple of times.
Seemed to be a snort.conf error but not a big deal.

Now we have a Catalyst 5500 switch as part of our core, and a 7206 at the
edge so to speak. We have multiple Class C's on our network but they
are not contiguous? (sp) 

As the FBSD machine running snort is on a FE port on the Cat5500 assigned
to its own Vlan it pretty limited in what it can "see" on our network.

Our 7206 is connected to a 7202 via a xover cable (the 7202 belongs to
our upstream) basically so we retain more control of what comes in and our
of our network.

What I've been thinking is get a hub, plug the Snort box and both the
7206 and 7202 into it. This way I can see all our traffic coming in and
would then be able to make use of Snorts capabilities. Would this scenario
work?

As well in the HOME_NET variable I would like to be able to specify our
networks in CIDR like so: 192.168.10.0/23 192.168.100.0/23 192.168.102/22
for snort to operate?

Thanks for any info.
Keith





More information about the Snort-users mailing list