[Snort-users] Placement of Snort IDS

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Wed Apr 10 13:38:14 EDT 2002

Place your Snort box on the switch, and span the port it is on. It will then
sniff all traffic passing through the switch. The Snort sensor is not setup
as a gateway.

Snort is used to alert and log certain packets, it does not drop them based
on a rule. Though whoever told you that it drops packets was probably
referring to the flexresp option, where you can send tcp resets based on a
rule being triggered.

Paul Sheahan
Manager of Information Security
paul.sheahan at ...2218...

-----Original Message-----
From: Kenny D [mailto:bitored2002 at ...3162...]
Sent: Wednesday, April 10, 2002 12:04 PM
To: snort users
Subject: [Snort-users] Placement of Snort IDS


I need to know  where to place a snort ids in a
switched environment. Is it setup with a promiscuous
mode port and port mirroring configured in the switch?
Or is it setup to have all traffic pass through it so
that it would act as a default gateway between
servers/users and the firewall?

Someone told me that snort can drop packets if there
is a rule matched, im not so sure. I thought snort
logged not dropped. Thats why i have begun to rethink
its placement. Who is right or wrong?


http://www.sold.com.au - SOLD.com.au Auctions
- 1,000s of Bargains!

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list