RE: Passive Snort Setup



Yes, this is possible through ethernet bridging, which will transparently forward frames (not packets, we're operating on layer2 not layer3) between two network segments. In this configuration, the bridged interfaces do not need an IP address. However, it is recommended a third interface is present with an IP address so you may manage the system remotely. Once the system has been configured as a bridge and is successfully forwarding frames, you can configure iptables and run snort in inline mode.

A quick google search for "snort on ethernet bridge" returned a really good document: http://www.hakin9.org/prt/view/building-ips.html


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Daniel Hood
Sent: Thursday, February 19, 2009 4:19 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Passive Snort Setup

Is it possible to set up a Snort IDS system with a topology like this:

hosts > switch > Snort-IDS > Router

But, have no ip address on either interface of the snort box and it just forward packets through after checking them for malicious activity? I don't want the snort box to do NAT or be the default gateway, I just want it to passively be there.

Daniel