[Snort-users] RE: Running 2 instances of snort

Michael Steele michaels at ...155...
Sat Jun 15 09:09:02 EDT 2002


Archer,

Snort usually sets between the firewall and DMZ. If you have 2
interfaces, you place Snort on one interface and set it to promiscuous
mode and use the other interface as a management interface. You only
need one instance of Snort. You should only be interested in what comes
thru the firewall.

If your using the information for some kind of statistical purpose then
running Snort on the outside and inside may prove useful.

Anytime you run Snort on the outside of the firewall yoiur going to see
an enormous amount of alerts being triggered, and your going to have to
sort thru them.

Michael Steele | System Engineer / System Administrator     
mailto:michaels at ...155...
http://www.silicondefense.com

-----Original Message-----
From: Archer [mailto:archer at ...2694...] 
Sent: June 14, 2002 10:25 PM
To: Michael Steele
Subject: Re: Running 2 instances of snort

Michael,

Thank you for your reply.

The reason for the 2 interfaces is as such. One will be in front of a
corporate firewall and another will be behind it. This way everything is
logged. If there is a penetration through the firewall, then snort
should be
able to get something.

We are using sniffer cables on both sides and any changes are done at
the
console.

Does this seem like solid logic on this? Or am I missing something?

Thanks again for your input and I will check out the link you sent.

Archer









More information about the Snort-users mailing list