[Snort-users] Placing Snort

Bill Parker dogbert at ...11664...
Wed Sep 1 09:07:12 EDT 2004

  ----- Original Message ----- 
  From: Chandana Bandara 
  To: Snort 
  Sent: Wednesday, September 01, 2004 2:30 AM
  Subject: [Snort-users] Placing Snort


  I implemented snort in this way 

  Internet ---------------> Router -----------------------> Firewall ---------------------> Snort--------------------> switch -----------------> LAN

  Well, from what you have above, I assume you have snort sitting on a switch port which is mirroring traffic to/from firewall, and this is the way most people set it up (though there are many ways things like this can be set up).  You want to make sure that whatever NIC you have plugged into this port is in promisc. mode (so it can see all traffic), and even better, if the NIC can be enabled w/out an IP address (prevents the sensor from reacting to traffic from the NIC itself).  Another method would be to make a cat-5 cable which only has the receive pins connected (no transmit) on the side which goes to the computer running snort (this ensures that snort can ONLY listen to traffic and never send anything, even by accident).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040901/01586138/attachment.html>

More information about the Snort-users mailing list