[Snort-users] Snort documentation
erek at ...950...
Sun May 25 08:14:04 EDT 2003
On Fri, 23 May 2003, Michael Conlen wrote:
> I'm looking for some documentation, if it's been written on setting up
> snort between a switch and a host... ...some background.
> I've got hosts connected to a switch. Each host is doing something
> around 40-70Mbit per second. I'd like to setup a snort box between each
> of these and the switch in such a way that no one knows they are there.
> My idea is to setup the box with three interfaces (one, two and three).
> Interface one connects to the switch, interface two connects directly to
> the host. Interface 3 connects to a network somewhere so I can login. I
> would like to set it up so that interface 1 and 2 are not configured in
> the OS for any stacks, and just let snort read packets from interface
> one and dump them on two, and visa versa, then generate warnings which
> would get sysloged somewhere through interface three.
> I had thought this was possible at some point (years ago) but I didn't
> see it anywhere in the documentation. Can someone point me in the right
Yes, it's possible. It all depends on what you want to do. You can set
up a 'stealth' interface (FAQ 3.1), use a ReadOnly Cable (FAQ 3.2), or use
a network tap .
I'd use a combination of R/O Cables and Stealth if you're trying to save
money. If you can spend money, use the taps.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users