[Snort-users] snort placement

David Yip dy at ...6387...
Sun Aug 4 13:00:02 EDT 2002


Hey guys, be realistic! It's just a home network. Forget about tap or port 
mirroring, either install on the gateway or use a hub. No matter how cheap 
the DLink is, it's still a switch, you'll need a hub. It won't hurt to use 
a hub since your traffic will not exceed 10-20MB on a cable connection. In 
my opinion, putting it on the internal segment should be a better solution 
for your situation since it will save you a lot of time and concentrate 
only on the critical alerts that have come into your network. Trust me, 
there are a lot of scanning going on, and you won't want to see thaem all, 
let the firewall do its job.

At 03:34 5/8/2002, Nicholas Bachmann wrote:
>neptuna wrote:
>>>
>>>Snort can be placed in many areas:  Probably the most beneficial would
>>>be in front and behind the router/FW, this way you know what you're
>>>being attacked with and what's getting through the FW.
>>>
>>
>>
>>Actutally I did try to install snort a few months ago and I placed it on
>>one of the boxes on the inside (a RH 7.2) box. However it did not
>>capture any traffic.
>If it's really a switch, you should only see traffic to and from that port 
>on the switch.  You should see if it is possible for you to set up 
>mirroring on the switch, otherwise put Snort on the router/FW (get a cheap 
>x86 box) monitoring your internal interface.
>>
>>
>>
>>>
>>>CM ---- Snort --- Router/FW --- Snort ---- Switch ---- computers.
>>>
>>
>>
>>Let me understand:
>>CM -> Snort box plugged into the Ethernet jack of modem -> [ this is
>>where i am confused ] Snort box hooked into the Router [ but how ?] ->
>>snort box UPlinked to switch -> Switch to internal computers?
>The best way would be to get a tap (I know, you probably don't care to 
>spend that much on a home IDS system. Can anybody guess how much a cheap 
>tap would cost for this?) or a hub and set it up like this:
>
>CM -- Router/FW/Snort -- Switch
>        \
>          \ _ Snort
>
>A good question also becomes wheter putting a Snort box on the outside is 
>really worth it... it's fun to have just to see what you're deflecting, 
>but is it really needed, or on a large network, viable?
>
>
>--
>         Regards,
>         Nick
>
>         Nicholas Bachmann, SSCP
>         Tech Department
>         Davison Community Schools
>
>
>
>------------------------------------------------------- This sf.net email 
>is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf 
>_______________________________________________ Snort-users mailing list 
>Snort-users at lists.sourceforge.net Go to this URL to change user options or 
>unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users 
>Snort-users list archive: 
>http://www.geocrawler.com/redir-sf.php3?list=snort-users


--

David Yip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020804/38986e52/attachment.html>


More information about the Snort-users mailing list