[Snort-users] Sensor Location

Phil Daws uxbod at ...14273...
Mon Mar 25 07:52:22 EDT 2013


am wishing to learn about the use of Snort and have begun to set up a test environment. What I am unsure of is the best place to locate the sensor. The set up I have is: 

Internet -> Physical Host (running KVM with Bridge0) -> KVM Guest acting as Firewall with three interfaces -> eth0 (Public IP) 
-> eth1 (DMZ 
-> eth2 (Internal LAN 

Would I be best installing Snort on the physical host and have it monitoring the bridged interface or on the virtual firewall and have it monitoring eth0 ? 

Any help would be gratefully appreciated. 

Thank you. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130325/20739382/attachment.html>

More information about the Snort-users mailing list