[Snort-users] ideal setup

twig les twigles at ...131...
Fri Aug 9 09:44:04 EDT 2002


However unless you mirror the port on your switch,
your firewall/snort box won't see internal -> internal
traffic.  If you miss the initial attack, then all the
nasty stuff that follows will get past silently. 
Also, since the firewall is already a potential
chokepoint, do you want to burden it with many
potential L7 packet examinations and TCP stream
reassemblies?


--- Kevin Brown <Kevin.M.Brown at ...1022...> wrote:
> Then (if snort doesn't have this already) maybe
> snort should be used in
> non-promiscuous mode if it is run from the firewall
> because all the traffic
> destined for your network has to go through the
> firewall.
> 
> -----Original Message-----
> From: Keith Young [mailto:kyoung at ...6513...]
> Sent: Wednesday, August 07, 2002 2:29 PM
> To: robert at ...6550...
> Cc: quentyn at ...3871...;
> snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] ideal setup
> 
> 
> Robert Cole wrote:
> 
> > Ok lets go for a not so dream setup. How about
> snort running on the
> firewall 
> > machine and sending its logs to a syslog server.
> That a decent setup if
> the 
> > syslog server is heavily protected as well?
> 
> Robert,
> 
> I wouldn't run Snort on the firewall for two
> reasons:
> 	* Snort will put the interfaces into promiscuous
> mode
> 	* running extra services usually isn't a good idea
> 
> What about running a Snort box outside and a Snort
> box inside which 
> sends log data to the syslog server in the DMZ?
> 
> -- 
> 
> -- 
> --Keith Young
> -kyoung at ...6513...
> 
> 
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




More information about the Snort-users mailing list