[Snort-users] what's the best setup?

c white cwhite at ...6062...
Mon Jun 17 07:44:03 EDT 2002


What is the best setup for this network?

I work for a large educational institution, all of our servers are on a 
switch, and I am not permitted, by policy, to place a sniffer between 
the switch and our router, all of the servers are on the same subnet, a 
mix of Unix, LINUX, winNT and win2k.

I was thinking about installing a "master" snort box, which would sniff 
on its own port and use mysql to store the data, and acid to present it 
through a web interface, and then install snort "sensors" on the other 
servers and report the data to the "master" server, the only problem 
with this is that some of the win servers are smp and winpcap doesn't 
like smp, is there another way to sniff out these servers without 
installing a "sensor" locally (did i miss something in the manual) or am 
I just S-O-L.

Suggestions, comments and ideas will be greatly appreciated?





More information about the Snort-users mailing list