Re: Passive Snort Setup
On Fri, 20 Feb 2009 11:19:08 +1100, Daniel Hood <dsmhood@xxxxxxxxx> wrote:
Is it possible to set up a Snort IDS system with a topology like this:
hosts > switch > Snort-IDS > Router
But, have no ip address on either interface of the snort box and it
just forward packets through after checking them for malicious
activity? I don't want the snort box to do NAT or be the default
gateway, I just want it to passively be there.
get a setup like this one. i'm using it and it works smooth.
http://snortattack.org/docs/IPS_3M_eng.pdf
Daniel
--
Michal Purzynski
RSBAC Team
Relevant Pages
- Re: unidentified DOS "bad traffic"
... I'd do some closer looking at the source machine. ... Do you have an idea of the volume of packets that were coming from this ... A particular host has been completely flooding the network with ... My Snort output on ...
(Incidents) - Re: unidentified DOS bad traffic
... large and/or small packets, and sometimes fragmented. ... flooding most gateways, and connects to an IRC channel as you describe. ... A particular host has been completely flooding the network ... My Snort output on this trace was filled with nothing but ...
(Incidents) - RE: Which intrusion detection to use?
... > deny access to all unused ports to the world there will be no ... Snort does not care ... while I would get ipfw dropping packets in my logs, ... If you want a good book I'd recommend "Building Internet Firewalls" by ...
(FreeBSD-Security) - RE: Which intrusion detection to use?
... >>> I don't know how tight your particular setup is, but if you deny ... Snort does not care about ... >> and while I would get ipfw dropping packets in my logs, ... > From my experience snort will not catch much in this setup. ...
(FreeBSD-Security) - RE: Any ideas?
... this time the first two Packets from Snort show the third part of the TCP ... because the attacker allready knows your server ... These are entries from my Snort IDS logs and my firewall logs for the IP ...
(Security-Basics) |
|
