[Snort-users] switch port settings?

Matt Kettler mkettler at ...4108...
Tue Oct 1 11:02:53 EDT 2002

Sure, this is a very good idea, many snort setups do this. Ultimately 
you'll have to weigh if you're interested in attacks within your lan, but 
in many cases it makes sense to not trust your users. As far as the high 
alert level it looks like you just need to change some of your settings.

In particular you might want to consider:
1) change EXTERNAL_NET to be !$HOME_NET or at least !$SERVERS instead of any.

2) carefully pick which IPs and what thresholds to use for portscan. In 
general I try not to watch internal lan servers with this and I tend to 
increase the thresholds for snort boxes monitoring inside a lan (as opposed 
to those monitoring just the connection from a lan to the internet.

At 11:53 AM 10/1/2002 -0400, Matthew Harrell wrote:
>I recently changed the switch port that my Snort box is on so that it hears
>the traffic that hits all the ports on the switch.  This seems like it is a
>good idea in order to have a true NIDS; however, since doing so, I'm
>FLOODED with tons of alert and portscan log entries.  I'm in the process of
>playing with ACID to improve the usage of these logs, but is it a good idea
>to leave the switch port set this way?

More information about the Snort-users mailing list