RE: Snort sensor placement
From: Dave Vehrs (davev@spiremedia.com)Date: 09/21/01
- Previous message: Stuart Staniford: "Re: Snort sensor placement"
- Next in thread: Tom Lichti: "RE: Snort sensor placement"
- Next in thread: Lee Binette: "Re: Snort sensor placement"
- Reply: Tom Lichti: "RE: Snort sensor placement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dave Vehrs" <davev@spiremedia.com> To: "'Brian Carvalho'" <brian.carvalho@verizon.net>, <focus-ids@securityfocus.com> Subject: RE: Snort sensor placement Date: Fri, 21 Sep 2001 09:55:39 -0600 Message-ID: <005001c142b5$dd2137a0$9701010a@spiremedia.com>
Close but what is the small hub connecting to? If its another hub then you
will see all the traffic from it too.
What I would do is this:
----- -------- ----------- --------
| LAN |----| SWITCH |----| SMALL HUB |----| SERVER |
----- -------- ----------- --------
|
(receive only cable)->|
|
-------
| SNORT |
-------
You can find information on how to build at receive only network cable at:
http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/
Then I would either manage the Snort sensor directly from its own
monitor/keyboard or add a second "management" interface to connect back to a
secure location on the LAN.
Good Luck,
Dave V.
- Previous message: Stuart Staniford: "Re: Snort sensor placement"
- Next in thread: Tom Lichti: "RE: Snort sensor placement"
- Next in thread: Lee Binette: "Re: Snort sensor placement"
- Reply: Tom Lichti: "RE: Snort sensor placement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
