[Snort-users] snort placement

neptuna neptuna at ...6520...
Mon Aug 5 15:47:05 EDT 2002


> 
> Here is my setup.
> 
> 								Cable Modem 
>   		     						    |
>     		      						|
> ..........(Nic 3)...........Dlink switch
> |  		     						    |
> |    		      						|
> |		   ------------------------------------------------
> |  		   |                                 |           | 			   |
> |	Router/FW/Snort       Comp1  Comp2   Comp3
> ........(3 NICs)
> 
> Nic 1 is the gateway to the Internet. (Router/FW). Snort cannot listen on this Nic.
> Nic 2 is the gateway to my LAN.  This is the trusted Nic.
> Nic 3 is the promiscuous NIC listening to the traffic coming in. Snort is listening on this Nic 3.

What do you mean by trusted NIC? 

> 
> For the Snort Nic, use a good Nic like 3Com, which is believed not to drop as many packets as a NE2K Nic.

3-com is what I use. 

> 
> Suggestions for Nic 3 - Do not set any IP address for the Nic
> 									  Do not broadcast the ARP address.

Ok. so make this NIC as stealthy as possible?

> 
> Hope this helps. Good luck.

yes, it does. now i have a few good ideas to work with thanks to this
group!

Thanks









More information about the Snort-users mailing list