[Snort-users] Help with where to place a Snort sensor! -newbie questions-

Daniel Lopez dlopez at ...6134...
Wed Jun 19 02:38:03 EDT 2002


Hello!

I guess you will find the following questions are basic but I do not
have so much professional background and practical work in network
field.

I was reading the paper from Jon Bull "Snort's Place in a Windows 2000
Environment".
He says:
"

[ Internet ] -------(1) ------- [ Router ] -------(2) ------- [ LAN ]

(Fig 1)

On a simple LAN with no DMZ (see figure 1) there are two optimal places
to locate your sensor, between the router and the Internet, and between
the router and LAN. The first configuration, denoted with a (1), will
detect all attacks against the network, but will not show you which
attacks actually get through the router and into the LAN. The second
configuration, denoted with a (2), will show you which attacks enter the
LAN."

I suppose that between the router and the LAN (constituted by some
computers for instance), there is a hub or a switch. Thus, if I want to
place my IDS in location 2, I can run Snort in a Linux box, with the
interface set up in promiscuous mode and stealth mode and connected to
the SPAN port of the switch or one port of the hub, is it right?

And then, like this, with this configuration, I will be able to detect
attacks coming from the outside but also, from the inside of the LAN and
attacks between computers inside the LAN (still constituted by some
computers and connected to a switch/hub that is in turn connected to the
router), is it also right?

However, if I want to place my IDS in location 1, how I could do that?
Can I still use a Linux box with SNORT installed in it, with the
interface set up in promiscuous mode and stealth mode and directly
connected to the Internet and the other interface connected to the
router?
How I could manage my IDS then?


Thank you very much for your help! :)
Daniel Lopez





More information about the Snort-users mailing list