[Snort-users] snort placement

Christopher Cook crcook at ...6518...
Sun Aug 4 13:08:06 EDT 2002


Yeah, what he said.  Gotta snap out of work mode sometimes. :-)



David Yip wrote:

> Hey guys, be realistic! It's just a home network. Forget about tap or 
> port mirroring, either install on the gateway or use a hub. No matter 
> how cheap the DLink is, it's still a switch, you'll need a hub. It 
> won't hurt to use a hub since your traffic will not exceed 10-20MB on 
> a cable connection. In my opinion, putting it on the internal segment 
> should be a better solution for your situation since it will save you 
> a lot of time and concentrate only on the critical alerts that have 
> come into your network. Trust me, there are a lot of scanning going 
> on, and you won't want to see thaem all, let the firewall do its job.
>
> At 03:34 5/8/2002, Nicholas Bachmann wrote:
>
>> neptuna wrote:
>>
>>>>
>>>>Snort can be placed in many areas:  Probably the most
>>>>beneficial would 
>>>>be in front and behind the router/FW, this way you know what you're 
>>>>being attacked with and what's getting through the FW.
>>>>   
>>>>        
>>>>
>>>
>>>Actutally I did try to install snort a few months ago and I placed it 
>>>on
>>>one of the boxes on the inside (a RH 7.2) box. However it did not
>>>capture any traffic.
>>>      
>>>
>> If it's really a switch, you should only see traffic to and from that 
>> port on the switch.  You should see if it is possible for you to set 
>> up mirroring on the switch, otherwise put Snort on the router/FW (get 
>> a cheap x86 box) monitoring your internal interface.
>>
>>>
>>> 
>>>      
>>>
>>>>
>>>>CM ---- Snort --- Router/FW --- Snort ---- Switch ---- computers.
>>>>   
>>>>        
>>>>
>>>
>>>Let me understand:
>>>CM -> Snort box plugged into the Ethernet jack of modem -> [ this
>>>is
>>>where i am confused ] Snort box hooked into the Router [ but how ?]
>>>->
>>>snort box UPlinked to switch -> Switch to internal
>>>computers?
>>>
>> The best way would be to get a tap (I know, you probably don't care 
>> to spend that much on a home IDS system. Can anybody guess how much a 
>> cheap tap would cost for this?) or a hub and set it up like this:
>>
>> CM -- Router/FW/Snort -- Switch
>>        \                                                
>>          \ _ Snort
>>
>> A good question also becomes wheter putting a Snort box on the 
>> outside is really worth it... it's fun to have just to see what 
>> you're deflecting, but is it really needed, or on a large network, 
>> viable?
>>
>>
>>-- 
>>        Regards,
>>        Nick
>>
>>        Nicholas
>>Bachmann, SSCP
>>        Tech
>>Department
>>        Davison
>>Community Schools
>>
>>
>>    
>>
>>
>> ------------------------------------------------------- This sf.net 
>> email is sponsored by:ThinkGeek Welcome to geek 
>> heaven.http://thinkgeek.com/sf 
>> _______________________________________________ Snort-users mailing 
>> list Snort-users at lists.sourceforge.net Go to this URL to change user 
>> options or unsubscribe: 
>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
>> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>
>
> --
>
> David Yip
>







More information about the Snort-users mailing list