[Snort-users] Remote collection of data from a Snort sensor in stealth mode
erek at ...577...
Wed Jan 16 01:20:06 EST 2002
On Wed, 16 Jan 2002, Ian Masters wrote:
> Is there a way to remotely collect data from a snort sensor with 2 network
> cards connected to the same hub, one without an IP to collect network data
> in stealth mode and the other with an IP to allow collection of data
> remotely, without the sensor being visible on the network.
Sure is! :)
> I can't see how this would be possible but a colleague of mine seems to
> think that it is?
Well, YMMV, but it can be done fairly simply.
> Is it?
Yes. If you are using just two nics you've got two choices.
One Stealth connected to the outside or inside of your firewall,
basically where-ever you want to watch. The non-stealth interface connected
to the "management network" or "secure net". This is where you would dump
your snort data to. Either use barnyard to feed the data to a backend DB, or
use scp to drop off the snort.log files every so often and post-process the
data by running it through a snort process there on that box.
Does that make sense? Or it just late? :-)
More information about the Snort-users