[Snort-users] IDS and HoneyPot placement in LAN

Joe Pampel jpampel at ...14829...
Wed Jun 16 11:43:48 EDT 2010

I'd say one of the simplest would probably be span the switch port where the Honeypot is connected.
The span port would feed an unnumbered interface on the snort sensor. This way you
get only traffic bound to/from the honeypot (+ bcast).
The IDS sensor should not be visible this way.
The IDS host should also have a mgt interface.
The IDS management interface can be connected anywhere you want it.
A dedicated "security" vlan protected with proper ACL's etc. being one of the better options.

The honeypot should go wherever it makes the most sense in your situation. That all depends on what you're trying to do.
Maybe you can spell out your goal here a bit? Looking for internal miscreants or collecting attacks from the 'net or ?

jm2c, ymmv, and the usual disclaimers apply.

From: Quentin Ducas [quentin.h4c at ...11827...]
Sent: Wednesday, June 16, 2010 11:26 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] IDS and HoneyPot placement in LAN

I apologize for the newbie question, but what is the best placement for the IDS and the HoneyPot in the LAN?

I want to monitor a HoneyPot with the IDS (snort) [u]without[/u] monitoring the complete LAN. Want to monitor just one machine.
What should be the best placement for HoneyPot and IDS for this situation.
The HoneyPot is a so called 'research-honeypot' so it is not used for security-reasons.

Do I have to place the HoneyPot and the IDS in a DMZ?
Or is it better to place the IDS between modem and router, and the HoneyPot in a DMZ?
Or is it not necessary to have a DMZ and can I place the HoneyPot between modem and Router and the IDS in the LAN?
Do I need a switch to make a separate network for this?
Or maybe something else?

ergo: What is the best placement for both systems?

Thanks in advance,

The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s).

More information about the Snort-users mailing list