[Snort-users] Re: [Snort-sigs] Snort on FTP server
mkettler at ...4108...
Wed Jan 22 11:50:04 EST 2003
First, I'm moving this over to snort-users.. which is where it belongs.
snort-sigs is for signature development related issues.
Second, sure, you can run snort on any pc at any point in your network. It
all depends on what you want snort to monitor. The most common deployment
monitors a whole network, thus snort is commonly installed at the gateway,
but there's no reason it can't monitor a point inside the network.
Snort should see all the traffic present on the FTP server's nic, but
because your DSL router's 3 ethernet ports are likely a switch, it will not
be able to monitor attacks against any other machine in the network.
Also since the FTP server is NAT'ed by a typical DSL/cable router box, I
highly doubt it will be probed on any ports other than ones which your
router is manualy configured to forward to the FTP server. It's impossible
for anyone outside to specifically address your FTP server, thus it should
be impossible for me to probe a random subset of ports on your FTP box from
There is one major drawback of running it on the same machine, if the FTP
server gets hacked, the attacker, if smart, can now blank your snort logs.
At 06:24 PM 1/17/2003 +0100, Walter Pouwels wrote:
>Hi to all.
>I wonder if it is any use putting snort on a pc (win2k server) which is
>used as an FTP server ?
>When reading through Snort doc's and such all I seem to read is snort
>being used on the actual router/gateway station, listening on the external
>interface. What I want to do is monitor any logon attempts at the ftp
>server for users without login/pw but also if the machine get's probed on
>any other ports.
>The network topology is as follows:
>1x WAN ------ ADSL 1536 Kbps/256Kbps
>4x LAN 10/100 Mbit
>In the 4 LAN connections there are:
>pc-1 end-user system IP 192.168.4.1
>pc-2 end-user system IP 192.168.4.2
>pc-3 FTP server IP 192.168.4.3
>So is this possible to install snort on a machine with only 1 NIC and have
>it listen to the traffic on that NIC or should I place another pc between
>the FTP server and the router LAN port
>(giving: ftp-server ---- SNORT PC ----- router ---- ADSL)?
>Thanks in advance.
More information about the Snort-users