[Snort-users] Hardware/snort config question

Marc Quibell mquibell at ...7759...
Wed Jul 23 10:47:32 EDT 2003

Yes, you must port mirror (or port span) on a switch. You will also need a
second NIC for connection to the outside hub. Do you do 1-to-1 NAT? A class B
block to NAT to? Seems excessive...

>Message: 12
>Date: Wed, 23 Jul 2003 10:13:11 -0700
>From: "Richard Roy" <RoyR at ...5882...>
>To: <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] Hardware/snort config question
>This is a multi-part message in MIME format.>
>Content-Type: text/plain;>
>    charset="US-ASCII"
>Content-Transfer-Encoding: quoted-printable
>First of all, HUGE thanks to Patrick S. Harper for the doc to get snort
>going and some additional help!
>Second. I have a logistic question on how/where to put it and configure
>a few things to properly snort.
>I have a /16 of real IP addresses that are assigned to a hardware FW's
>external interface and NATted to the private internal 10's.  The signal
>comes in from the ISP to a router then to a hub then to 2 different
>firewalls.  One which has a single IP assigned to it for my wireless
>(separate network) and another that has the balance of the /16.
>The snort box is on the LAN which is all switched.  How can I get all
>the stuff on the switch to be snorted? I'm thinking a port mirror or
>something right?  Second, do I need to add a second NIC and attach to
>the HUB to see all the external traffic hitting the firewalls or not?
>My guess is yes or can I simply assign multiple IP's to the same nic
>(I'm running RH9)

>For the internal net I gave the snort box to scan
>that's correct right (assuming it has an address of
>For external I gave it the /16 range of real ip's I have.
>Thanks in advance.  Please excuse this if it is "off-topic" and reply
>off list if you can help.=20
>Richard Roy
>Network Administrator
>JusticeTrax Inc
>602-938-0059 x102
>royr at ...5882...

More information about the Snort-users mailing list