[Snort-users] Snort and acidcenter

Paul D. Shaffer paulshaf at ...741...
Tue Dec 31 14:57:01 EST 2002


As long as the hub is truly a "hub" and not one of those dual-speed
types that actually "switches" between the 10/100 fabric, you only need
to snort on one interface.  You will however have to expand your
HOME_NET variable to cover the address space you're using.

You can run ACID from anywhere as long as you setup access to/from the
database and from the sensor box, if they are not all three one and the
same.  If your hardware is recent and has the capacity/horsepower,
there's no reason you can't run everything on one box.  For a home net,
even older hardware would probably be sufficient to support an
all-in-one solution.

Hope that helps...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Joseph
Sent: Tuesday, December 31, 2002 3:20 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort and acidcenter

I'm asking for a simple explaination of how this works
from someone who could answer this question quickly...

I have a home network connected through AT&T cable. 
The cable modem goes to my hub, and thn off to 3
boxes.  The IP addresses on the boxes aren't on the
same network thanx to AT&T's idiotic lack of static IP
addresses.  Anyway...

My question is, if I set up an IDS box, do I have to
have the ACID agent and snort on every box?  Or do I
just have it on one box, and the nic goes into
promiscuous mode and catches everything that comes
through the hub?  


Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list