[Snort-users] Using snort on a switched network

James the_saint_james at ...131...
Sun Jan 6 11:04:02 EST 2002


See if your switch has the ability to do "mirror" ,"monitor" or "broadcast"
ports. Basically all traffic is rebroadcast to the port snort runs on. Place
Snort on your DMZ (in front of your firewall) and Snort will see all
traffic, place it after the firewall and you will see what got thru.

I would like to hear what others have to say about running Snort on a
firewall. Snort is passive, it just listens, processes, and records traffic
unless you intergrate
Snort into the firewall to write rules or take other actions. If your
firewall is a Unix box, then running Snort on it would allow you to sniff
interneal and external interfaces.





More information about the Snort-users mailing list