[Snort-users] To hub or not to hub
javier at ...7920...
Mon Jan 6 16:04:02 EST 2003
i have been using a snort box plugged on a hub that
sists between the inside interface of a firewall and
the internal switch for a couple of months and so far
so good...be sure to have the hub inside a rack well
locked so nobody (but the one that have the key for
the rack) can insert another sniffer on the hub...i
did not configure any ip address on this box just to
be sure that is not remotely accesible (i do not
manage the firewall and getting the firewall manager
to configure some rules for this machine was another
difficult sell) with the not so great side effect that
to configure/monitor snort i have to be sitting at the
console (the snort box)...
on another side, why not spanning? (in my case i could
not do it because an old ios on the switch)...
--- Anthony Scott <ascott at ...6076...> wrote:
> Hi. I am going to initially deploy one Snort box on
> our network. I want to place it right after our
> firewall to detect anything getting through.
> We have an all switched environment and I do not
> want to do any spanning (at least initially). I read
> two documents on Snort's web site, one said a hub
> was fine, one said a hub was a bad idea. I like the
> idea because it would be easy to plug and unplug the
> snort box without disrupting traffic.
> I would also like to use the box for a sniffer, ala
> Thoughts, feelings, ideas?
> anthony scott
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> Snort-users list archive:
More information about the Snort-users