Snort mailing list archives
Re: Using SNORT for Internal IDS
From: Bryan Irvine <bryan.irvine () kingcountyjournal com>
Date: 25 Jun 2003 08:53:05 -0700
I must have deleted the original message. I have it running on an OpenBSD firewall with 4 ethernet cards (2 nats, 1 DMZ and the internet connection) and I am monitoring all of them. I am running 4 instances of snort so the logs are easier to keep track of (although I could do it with 1 instance). It does monitor internal traffic between machines some, although a lot is missed as a result of using lots and lots of switches, but then, sometimes that's the only way I couldn't imagine this many people on hubs. --Bryan On Wed, 2003-06-25 at 08:22, Erek Adams wrote:
On Tue, 24 Jun 2003, Pankaj Gupta wrote:I am not sure if Snort can be used to monitor internal attacks or intrusion activities. Also, can I use two copies of Snort (installed on two separate servers), one to monitor the external port outside my firewall and the other to monitor specific internal ports for signature matches. Does anyone have any experience, inputs or documentation on this matter? Thanks.Snort can be used for any type of detection. It all depends on where you place it and what you want to see. You can use as many copies as you want. It doesn't care that you're using more than one. All it takes is the correct physical placement, and the correct setting of your HOME_NET/EXTERNAL_NET. Check out the placement docs on Snort.org. They have a lot of useful info in them. You might also want to check out this [0]. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.theadamsfamily.net/~erek/snort/ids_placement.txt ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using SNORT for Internal IDS Pankaj Gupta (Jun 25)
- Re: Using SNORT for Internal IDS Erek Adams (Jun 25)
- Re: Using SNORT for Internal IDS Bryan Irvine (Jun 25)
- <Possible follow-ups>
- RE: Using SNORT for Internal IDS Hutchinson, Andrew (Jun 25)
- Re: Using SNORT for Internal IDS Erek Adams (Jun 25)