[Snort-users] snort placement
neptuna at ...6520...
Sun Aug 4 14:29:02 EDT 2002
On Sun, 2002-08-04 at 15:57, Christopher Cook wrote:
> what you can do, and what I have setup, is Snort is invisible to
> everything else. So take my setup at home right now.
> CM ----> Snort ----> Router/FW ----> Snort ----> hub ----> computers.
> Both snort boxes are address-less and store the data locally in a mySQL
> database with output to ACID to make it all pretty and nice. This way
> they capture all the traffic, but there's nothing there to give them
> away as being Snort boxes. So you would take your Cable Modem, plug it
> into one NIC of the Snort, and then connect the other NIC to Router.
> The same thing is done with the inside one, except you connect the
> router to Snort and Snort to the switch.
hmm, that sounds ok. So i would not be assigning an IP address to the
interfaces on the snort boxes?
> As someone else pointed out, hooking into the switch more than likely
> won't capture traffic as the switch doesn't broadcast to all ports. If
> you can turn your switch into a hub, then this would work.
assuming I can't get port mirroring on this switch, i do have a hub here
that i can use.
More information about the Snort-users