[Snort-users] Using SNORT for Internal IDS
erek at ...950...
Wed Jun 25 08:24:17 EDT 2003
On Tue, 24 Jun 2003, Pankaj Gupta wrote:
> I am not sure if Snort can be used to monitor internal attacks or intrusion
> activities. Also, can I use two copies of Snort (installed on two separate
> servers), one to monitor the external port outside my firewall and the other
> to monitor specific internal ports for signature matches. Does anyone have
> any experience, inputs or documentation on this matter? Thanks.
Snort can be used for any type of detection. It all depends on where you
place it and what you want to see.
You can use as many copies as you want. It doesn't care that you're using
more than one.
All it takes is the correct physical placement, and the correct setting of
Check out the placement docs on Snort.org. They have a lot of useful info
in them. You might also want to check out this .
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users