Re: Place to install Snort

[Wei Chea Ang <weichea () gmail com>]

There is no hard rules for sensor placement. Personally I would place it
behind the FW, less noise since FW should block some of the unwanted
traffic.

If you want to do blocking, then you need to put the sensor inline. You
might want to invest in bypass kit, so there is no interruption to your
network if the hardware fails.

Yes, you could run snort on a VM, but I'm not sure if you can do inline on
VM though.

On Wednesday, January 28, 2015, Minh Trung <mvtrung27 () gmail com> wrote:

> Hello expert,
>
> I miss my network design.
>
> Here is the full of design:
>
> [image: Inline images 1]
>
> Where i can place Snort to detect, alert and block if it can? is it
> possible running Snort on VMware?
>
> Any suggestion, please let me know
>
> Regards,
>
>
> On 24 January 2015 at 02:27, waldo kitty <wkitty42 () windstream net
> <javascript:_e(%7B%7D,'cvml','wkitty42 () windstream net');>> wrote:
>
> > On 1/22/2015 11:43 PM, Minh Trung wrote:
> > [...]
> > > Is this possible to place Snort  on vmware ? which spec i need to
> > > configuration for this machine? I want to capture all from Router, how
> > to
> > > configuration Snort to listen everything on Router, how configuration
> > > router look like?
> > > Any suggestion please let me know
> >
> > you probably really want to put your sensor as close to the router if you
> > want
> > it to sniff all the traffic the router sees... perhaps an inline
> > configuration
> > where the traffic passes from the router through the sensor... if not set
> > there
> > in inline mode, then hung off of there so sniff the traffic as it passes
> > by...
> >
> > but you can probably also use a dedicated nic in the vm machine for snort
> > to use
> > and have that wired to a span or mirror port from the router...
> >
> > there are numerous ways but which you choose depends on what you want
> > snort to
> > do for your environment... do you want it to just detect and alert? do
> > you want
> > it to detect, alert and block? there're more decisions but i'm not sure
> > of any
> > design examples or drawings with the various layouts possible... this is
> > something you really need to study and consider the options for...
> >
> > --
> >   NOTE: No off-list assistance is given without prior approval.
> >         Please *keep mailing list traffic on the list* unless
> >         private contact is specifically requested and granted.
> >
> >
> > ------------------------------------------------------------------------------
> > New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> > GigeNET is offering a free month of service with a new server in Ashburn.
> > Choose from 2 high performing configs, both with 100TB of bandwidth.
> > Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> > http://p.sf.net/sfu/gigenet
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > <javascript:_e(%7B%7D,'cvml','Snort-users () lists sourceforge net');>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!

-- 
Regards
Wei Chea

Sent from Gmail Mobile

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!