[Snort-users] snort placement

neptuna neptuna at ...6520...
Sun Aug 4 14:29:02 EDT 2002

On Sun, 2002-08-04 at 15:57, Christopher Cook wrote:
> what you can do, and what I have setup, is Snort is invisible to 
> everything else.  So take my setup at home right now.
> CM ----> Snort ----> Router/FW ----> Snort ----> hub ----> computers.
> Both snort boxes are address-less and store the data locally in a mySQL 
> database with output to ACID to make it all pretty and nice.  This way 
> they capture all the traffic, but there's nothing there to give them 
> away as being Snort boxes.  So you would take your Cable Modem, plug it 
> into one NIC of the Snort, and then connect the other NIC to Router.   
> The same thing is done with the inside one, except you connect the 
> router to Snort and Snort to the switch.

hmm, that sounds ok. So i would not be assigning an IP address to the
interfaces on the snort boxes? 

> As someone else pointed out, hooking into the switch more than likely 
> won't capture traffic as the switch doesn't broadcast to all ports.  If 
> you can turn your switch into a hub, then this would work.

assuming I can't get port mirroring on this switch, i do have a hub here
that i can use.

Thanks again


