[Snort-users] snort deployment

fname lname larskman at ...11827...
Tue Aug 30 17:48:38 EDT 2005


I was reading over snort deployment on snort's site what if i build a 
passive tap? Will that be the same? But look I need two nic in my box to use 
it on a full duplex mode.

On 8/30/05, Will Metcalf <william.metcalf at ...11827...> wrote:
> 
> Hmmmm I agree with David, if you are only going to be passively
> monitoring traffic (alerting) there is no need to run in inline mode.
> You will probably introduce some unnecessary latency into your
> network. I would investigate using a span port or a tap.
> 
> Regards,
> 
> Will
> 
> On 8/30/05, David Klotz <bucky at ...242...> wrote:
> > On Tue, 30 Aug 2005, MAEDA wrote:
> >
> > > You should run snort as inline-mode (see manual version 2.3.x).
> > > In inline-mode, snort takes packet informations from target QUEUE of 
> iptables.
> > > So, you make bridge between two NICs, and assign QUEUE to 
> FORWARD-chain target.
> > >
> >
> > Wouldn't inline just add another layer of complexity when it's not 
> needed? I
> > would go with the switch and the span port, unless you have some 
> specific need
> > for inline, such as connection killing or any of the IPS style 
> functionality.
> > But I'm no expert...
> >
> > --
> > -Dave
> > -bucky at ...242...
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
> Practices
> > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & 
> QA
> > Security * Process Improvement & Measurement * 
> http://www.sqe.com/bsce5sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050830/c8f8b43e/attachment.html>


More information about the Snort-users mailing list