[Snort-users] Place to install Snort

Wei Chea Ang weichea at ...11827...
Wed Jan 28 09:21:01 EST 2015

There is no hard rules for sensor placement. Personally I would place it
behind the FW, less noise since FW should block some of the unwanted

If you want to do blocking, then you need to put the sensor inline. You
might want to invest in bypass kit, so there is no interruption to your
network if the hardware fails.

Yes, you could run snort on a VM, but I'm not sure if you can do inline on
VM though.

On Wednesday, January 28, 2015, Minh Trung <mvtrung27 at ...11827...> wrote:

> Hello expert,
> I miss my network design.
> Here is the full of design:
> [image: Inline images 1]
> Where i can place Snort to detect, alert and block if it can? is it
> possible running Snort on VMware?
> Any suggestion, please let me know
> Regards,
> On 24 January 2015 at 02:27, waldo kitty <wkitty42 at ...14940...
> <javascript:_e(%7B%7D,'cvml','wkitty42 at ...14940...');>> wrote:
>> On 1/22/2015 11:43 PM, Minh Trung wrote:
>> [...]
>> >
>> > Is this possible to place Snort  on vmware ? which spec i need to
>> > configuration for this machine? I want to capture all from Router, how
>> to
>> > configuration Snort to listen everything on Router, how configuration
>> > router look like?
>> > Any suggestion please let me know
>> you probably really want to put your sensor as close to the router if you
>> want
>> it to sniff all the traffic the router sees... perhaps an inline
>> configuration
>> where the traffic passes from the router through the sensor... if not set
>> there
>> in inline mode, then hung off of there so sniff the traffic as it passes
>> by...
>> but you can probably also use a dedicated nic in the vm machine for snort
>> to use
>> and have that wired to a span or mirror port from the router...
>> there are numerous ways but which you choose depends on what you want
>> snort to
>> do for your environment... do you want it to just detect and alert? do
>> you want
>> it to detect, alert and block? there're more decisions but i'm not sure
>> of any
>> design examples or drawings with the various layouts possible... this is
>> something you really need to study and consider the options for...
>> --
>>   NOTE: No off-list assistance is given without prior approval.
>>         Please *keep mailing list traffic on the list* unless
>>         private contact is specifically requested and granted.
>> ------------------------------------------------------------------------------
>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>> GigeNET is offering a free month of service with a new server in Ashburn.
>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>> http://p.sf.net/sfu/gigenet
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> <javascript:_e(%7B%7D,'cvml','Snort-users at lists.sourceforge.net');>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!

Wei Chea

Sent from Gmail Mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150128/ac17b4f5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 49553 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150128/ac17b4f5/attachment.png>

More information about the Snort-users mailing list