Snort mailing list archives
RE: Placement of Snort IDS
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Wed, 10 Apr 2002 14:28:22 -0400
Place your Snort box on the switch, and span the port it is on. It will then sniff all traffic passing through the switch. The Snort sensor is not setup as a gateway. Snort is used to alert and log certain packets, it does not drop them based on a rule. Though whoever told you that it drops packets was probably referring to the flexresp option, where you can send tcp resets based on a rule being triggered. Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com -----Original Message----- From: Kenny D [mailto:bitored2002 () yahoo com au] Sent: Wednesday, April 10, 2002 12:04 PM To: snort users Subject: [Snort-users] Placement of Snort IDS Hi, I need to know where to place a snort ids in a switched environment. Is it setup with a promiscuous mode port and port mirroring configured in the switch? Or is it setup to have all traffic pass through it so that it would act as a default gateway between servers/users and the firewall? Someone told me that snort can drop packets if there is a rule matched, im not so sure. I thought snort logged not dropped. Thats why i have begun to rethink its placement. Who is right or wrong? Thanks. http://www.sold.com.au - SOLD.com.au Auctions - 1,000s of Bargains! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Placement of Snort IDS Kenny D (Apr 10)
- <Possible follow-ups>
- RE: Placement of Snort IDS Sheahan, Paul (PCLN-NW) (Apr 10)
- Gigabit snort? Michael Cunningham (Apr 10)
- Re: Gigabit snort? Frank Knobbe (Apr 13)
- Re: Gigabit snort? Jeff Nathan (Apr 17)
- Gigabit snort? Michael Cunningham (Apr 10)
- Placement of Snort IDS Kenny D (Apr 14)
- Re: Placement of Snort IDS Erek Adams (Apr 14)