[Snort-users] RE: Running 2 instances of snort
michaels at ...155...
Sat Jun 15 09:09:02 EDT 2002
Snort usually sets between the firewall and DMZ. If you have 2
interfaces, you place Snort on one interface and set it to promiscuous
mode and use the other interface as a management interface. You only
need one instance of Snort. You should only be interested in what comes
thru the firewall.
If your using the information for some kind of statistical purpose then
running Snort on the outside and inside may prove useful.
Anytime you run Snort on the outside of the firewall yoiur going to see
an enormous amount of alerts being triggered, and your going to have to
sort thru them.
Michael Steele | System Engineer / System Administrator
mailto:michaels at ...155...
From: Archer [mailto:archer at ...2694...]
Sent: June 14, 2002 10:25 PM
To: Michael Steele
Subject: Re: Running 2 instances of snort
Thank you for your reply.
The reason for the 2 interfaces is as such. One will be in front of a
corporate firewall and another will be behind it. This way everything is
logged. If there is a penetration through the firewall, then snort
able to get something.
We are using sniffer cables on both sides and any changes are done at
Does this seem like solid logic on this? Or am I missing something?
Thanks again for your input and I will check out the link you sent.
More information about the Snort-users