[Snort-users] Snort multiple sensor configuration

Joel Esler eslerj at ...11827...
Fri Oct 10 09:47:24 EDT 2008


So are all the networks that talk to the internet going to be crossing your
sniffing interface that you have behind the firewall?

If so, then what is the sense in having the inside interface also watch
traffic going out to the internet.

Have your third interface set up as your HOME_NET = your internal network,
and your EXTERNAL_NET = $HOME_NET.

So basically you are watching network to network traffic.  Not Network to
internet, since you already have an interface to do that.

That way you aren't duplicating alerts.

Joel

On Thu, Oct 9, 2008 at 4:11 PM, Stephen Reese <rsreese at ...11827...> wrote:

> > Let me ask. What are your trying to accomplish with the inside span?
> > Just watching internal to internal?
>
> Yes. If someone decides to bring in their Windows ME box to a branch
> and plug it in then I would like to see malicious traffic that may be
> geared towards the 'main network'. The branch locations have little
> support in regards to IT.
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler
  Cell: 706-231-1451
  iChat:  eslerjoel
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081010/6df8b401/attachment.html>


More information about the Snort-users mailing list