[Snort-users] Snort documentation

Erek Adams erek at ...950...
Sun May 25 08:14:04 EDT 2003


On Fri, 23 May 2003, Michael Conlen wrote:

> I'm looking for some documentation, if it's been written on setting up
> snort between a switch and a host... ...some background.
>
> I've got hosts connected to a switch. Each host is doing something
> around 40-70Mbit per second. I'd like to setup a snort box between each
> of these and the switch in such a way that no one knows they are there.
> My idea is to setup the box with three interfaces (one, two and three).
> Interface one connects to the switch, interface two connects directly to
> the host. Interface 3 connects to a network somewhere so I can login. I
> would like to set it up so that interface 1 and 2 are not configured in
> the OS for any stacks, and just let snort read packets from interface
> one and dump them on two, and visa versa, then generate warnings which
> would get sysloged somewhere through interface three.
>
> I had thought this was possible at some point (years ago) but I didn't
> see it anywhere in the documentation. Can someone point me in the right
> direction?

Yes, it's possible.  It all depends on what you want to do.  You can set
up a 'stealth' interface (FAQ 3.1), use a ReadOnly Cable (FAQ 3.2), or use
a network tap [0].

I'd use a combination of R/O Cables and Stealth if you're trying to save
money.  If you can spend money, use the taps.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.netoptics.com/11.html





More information about the Snort-users mailing list