[Snort-users] Remote collection of data from a Snort sensor in stealth mode

Erek Adams erek at ...577...
Wed Jan 16 01:20:06 EST 2002

On Wed, 16 Jan 2002, Ian Masters wrote:

> Is there a way to remotely collect data from a snort sensor with 2 network
> cards connected to the same hub, one without an IP to collect network data
> in stealth mode and the other with an IP to allow collection of data
> remotely, without the sensor being visible on the network.

Sure is!  :)

> I can't see how this would be possible but a colleague of mine seems to
> think that it is?

Well, YMMV, but it can be done fairly simply.

> Is it?

Yes.  If you are using just two nics you've got two choices.

	One Stealth connected to the outside or inside of your firewall,
basically where-ever you want to watch.  The non-stealth interface connected
to the "management network" or "secure net".  This is where you would dump
your snort data to.  Either use barnyard to feed the data to a backend DB, or
use scp to drop off the snort.log files every so often and post-process the
data by running it through a snort process there on that box.

Does that make sense?  Or it just late?  :-)

Erek Adams

More information about the Snort-users mailing list