[Snort-users] snort setup on freebsd

Ha Hoang summer_beha at ...131...
Sun Sep 8 09:54:08 EDT 2002


Hi,

I'm in the process of setting up snort on my freebsd
box. I have several quesitons:

1. Where should I put the snort box?
2. How many network cards/sensors do I need?
3. Any else I should do before or need to consider?
4. Is Snort easy to set up?
5. How often are the signatures database need to be
updated?
6. Do I need to configure my own rules or are the
canned ones sufficient?

Any help you can provide will be greatly appreciated.
Thanks,
Ha
--- Scot Scot <scotw at ...125...> wrote:
> Might look something like this:
> 
>                                              DMZ
>                                                  |
>                                                  |
>                                             
> |TAP|-------Snort
>                                                  |
>                                                  |
> Cisco Router ----|
> TAP|-----Firewall------|TAP|------------Switch
>                                 |                   
>                  |
>                                 |                   
>                  |
>                             Snort                   
>           Snort
> 
> You can then correlate your intrusion traffic
> between sensors. I would not
> recommend using the mirroring port on a Switch, it
> can be very processor
> intensive and you may not detect all fragmented
> packets.
> 
> Scot
> 
> 
> <snip>
> > where would you put the DMZ and firewall?
> >
> >
> > Friday, July 12, 2002, 11:41:35 PM, you wrote:
> >
> > SS> If you put a HUB in you'll knock your traffic
> down to Half-Duplex
> >
> > SS> Perhaps you could throw in a TAP:
> >
> > SS> Cisco Router ----| Network
> TAP|-----------------HUB------------------Switch
> > SS>                                        |
> > SS>                                        |
> > SS>                                        |
> > SS>                               Snort Sensor
> >
> > SS> Here's one company (of many) off the top of my
> head:
> >
> > SS> www.netoptics.com
> >
> > SS> Scot
> >
> > SS> ----- Original Message -----
> > SS> From: "Tom Sevy" <tsevy at ...1701...>
> > SS> To: "user snort"
> <snort-users at lists.sourceforge.net>
> > SS> Sent: Friday, July 12, 2002 9:30 AM
> > SS> Subject: RE: [Snort-users] snort setup
> >
> >
> > >> I would recommend instead that you put a decent
> hub in rather than put
> the
> > >> snort box inline.  What happens when you have
> to reboot the snort
> server
> > >> box?  You (& your users & your web visitors)
> will lose the internet
> > >> connection.
> > >>
> > >> So go with:
> > >>
> > >> Cisco Router
> ---------------------HUB------------------Switch
> > >>                                    |
> > >>                                    |
> > >>                                    |
> > >>                               Snort Sensor
> > >>
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: Alwin Raymundo
> [mailto:alrayworld at ...131...]
> > >> Sent: Friday, July 12, 2002 7:36 AM
> > >> To: user snort
> > >> Subject: [Snort-users] snort setup
> > >>
> > >>
> > >> Hi all,
> > >>
> > >> Here is my another naive question.  I want to
> put my
> > >> snort box in front of my switch because my
> swith is
> > >> not capable of port mirroring.
> > >>
> > >> internet -> cisco router -> snort box -> switch
> ->
> > >> servers
> > >>
> > >> My future setup on snort box (redhat 7.3, snort
> -mysql
> > >> and 2 nic cards).
> > >>
> > >> here now the question about the 2 nic what
> should I
> > >> used ip address to these 2 nic cards, should it
> be 2
> > >> public ip address? or 1 public IP address and 1
> > >> network address.
> > >>
> > >> any help would be highly appreciated.
> > >>
> > >> Thanks in advance, brother in snort.
> > >>
> > >>
> > >> =====
> > >> Alwin Raymundo
> > >>
> > >>
> __________________________________________________
> > >> Do You Yahoo!?
> > >> Sign up for SBC Yahoo! Dial - First Month Free
> > >> http://sbc.yahoo.com
> > >>
> > >>
> > >>
>
-------------------------------------------------------
> > >> This sf.net email is sponsored by:ThinkGeek
> > >> Gadgets, caffeine, t-shirts, fun stuff.
> > >> http://thinkgeek.com/sf
> > >> _______________________________________________
> > >> Snort-users mailing list
> > >> Snort-users at lists.sourceforge.net
> > >> Go to this URL to change user options or
> unsubscribe:
> > >>
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > >> Snort-users list archive:
> > >>
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >>
> > >>
> > >>
>
-------------------------------------------------------
> > >> This sf.net email is sponsored by:ThinkGeek
> > >> Gadgets, caffeine, t-shirts, fun stuff.
> > >> http://thinkgeek.com/sf
> > >> _______________________________________________
> > >> Snort-users mailing list
> > >> Snort-users at lists.sourceforge.net
> > >> Go to this URL to change user options or
> unsubscribe:
> > >>
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > >> Snort-users list archive:
> > >>
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >>
> >
> >
> > SS>
>
-------------------------------------------------------
> > SS> This sf.net email is sponsored by:ThinkGeek
> > SS> Gadgets, caffeine, t-shirts, fun stuff.
> > SS> http://thinkgeek.com/sf
> > SS>
> _______________________________________________
> > SS> Snort-users mailing list
> > SS> Snort-users at lists.sourceforge.net
> > SS> Go to this URL to change user options or
> unsubscribe:
> > SS>
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > SS> Snort-users list archive:
> > SS>
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > --
> > Best regards,
> >  Darren                           
> mailto:darren at ...6315...
> >
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Gadgets, caffeine, t-shirts, fun stuff.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com




More information about the Snort-users mailing list