[Snort-users] Using SNORT for Internal IDS

Erek Adams erek at ...950...
Wed Jun 25 08:24:17 EDT 2003


On Tue, 24 Jun 2003, Pankaj Gupta wrote:

> I am not sure if Snort can be used to monitor internal attacks or intrusion
> activities. Also, can I use two copies of Snort (installed on two separate
> servers), one to monitor the external port outside my firewall and the other
> to monitor specific internal ports for signature matches. Does anyone have
> any experience, inputs or documentation on this matter? Thanks.

Snort can be used for any type of detection.  It all depends on where you
place it and what you want to see.

You can use as many copies as you want.  It doesn't care that you're using
more than one.

All it takes is the correct physical placement, and the correct setting of
your HOME_NET/EXTERNAL_NET.

Check out the placement docs on Snort.org.  They have a lot of useful info
in them.  You might also want to check out this [0].

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.theadamsfamily.net/~erek/snort/ids_placement.txt




More information about the Snort-users mailing list