[Snort-users] Using SNORT for Internal IDS
bryan.irvine at ...9066...
Wed Jun 25 08:53:15 EDT 2003
I must have deleted the original message. I have it running on an
OpenBSD firewall with 4 ethernet cards (2 nats, 1 DMZ and the internet
connection) and I am monitoring all of them. I am running 4 instances
of snort so the logs are easier to keep track of (although I could do it
with 1 instance). It does monitor internal traffic between machines
some, although a lot is missed as a result of using lots and lots of
switches, but then, sometimes that's the only way I couldn't imagine
this many people on hubs.
On Wed, 2003-06-25 at 08:22, Erek Adams wrote:
> On Tue, 24 Jun 2003, Pankaj Gupta wrote:
> > I am not sure if Snort can be used to monitor internal attacks or intrusion
> > activities. Also, can I use two copies of Snort (installed on two separate
> > servers), one to monitor the external port outside my firewall and the other
> > to monitor specific internal ports for signature matches. Does anyone have
> > any experience, inputs or documentation on this matter? Thanks.
> Snort can be used for any type of detection. It all depends on where you
> place it and what you want to see.
> You can use as many copies as you want. It doesn't care that you're using
> more than one.
> All it takes is the correct physical placement, and the correct setting of
> your HOME_NET/EXTERNAL_NET.
> Check out the placement docs on Snort.org. They have a lot of useful info
> in them. You might also want to check out this .
> Erek Adams
> "When things get weird, the weird turn pro." H.S. Thompson
>  http://www.theadamsfamily.net/~erek/snort/ids_placement.txt
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users