[Snort-users] Using SNORT for Internal IDS

Bryan Irvine bryan.irvine at ...9066...
Wed Jun 25 08:53:15 EDT 2003


I must have deleted the original message.  I have it running on an
OpenBSD firewall with 4 ethernet cards (2 nats, 1 DMZ and the internet
connection)  and I am monitoring all of them.  I am running 4 instances
of snort so the logs are easier to keep track of (although I could do it
with 1 instance).  It does monitor internal traffic between machines
some, although a lot is missed as a result of using lots and lots of
switches, but then, sometimes that's the only way I couldn't imagine
this many people on hubs.

--Bryan

On Wed, 2003-06-25 at 08:22, Erek Adams wrote:
> On Tue, 24 Jun 2003, Pankaj Gupta wrote:
> 
> > I am not sure if Snort can be used to monitor internal attacks or intrusion
> > activities. Also, can I use two copies of Snort (installed on two separate
> > servers), one to monitor the external port outside my firewall and the other
> > to monitor specific internal ports for signature matches. Does anyone have
> > any experience, inputs or documentation on this matter? Thanks.
> 
> Snort can be used for any type of detection.  It all depends on where you
> place it and what you want to see.
> 
> You can use as many copies as you want.  It doesn't care that you're using
> more than one.
> 
> All it takes is the correct physical placement, and the correct setting of
> your HOME_NET/EXTERNAL_NET.
> 
> Check out the placement docs on Snort.org.  They have a lot of useful info
> in them.  You might also want to check out this [0].
> 
> Cheers!
> 
> -----
> Erek Adams
> 
>    "When things get weird, the weird turn pro."   H.S. Thompson
> 
> 
> [0]	http://www.theadamsfamily.net/~erek/snort/ids_placement.txt
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list