RE: Newbie Questions

[jan () radio hundert6 de]

> traffic behind our firewall first. I plan later to add another
> server
> outside the firewall once I get a good grasp on what I am
> doing and seeing.

Hm. One could probably argue, but for me personally I found it
more educative to watch just about everything that hit my
externaö subnet when I started toying around with snort. Thus, I
plugged the snort box in a hub, together with the firewall. It's
nice to have a second sensor behind the firewall, but with a
'parallel' setup you get to see a lot of traffic that would
otherwise look pretty boring in the 'block logs' of your
preferred firewall. 

I got the advice for the first setup from Dominiq Brzinski from
Amazon, who doesn't seem to be on the list anymore...?! Anyway,
do as I did: Simply bring the 'sniffing' interface up, i.e. do
not assign an IP address to it. Snort brings it into promiscuous
mode, so every ethernet frame will cause an interrupt and you'll
get all the frames received by the NIC. Thus - you'll be able to
see what's coming in without being visible layer 3 wise. 

For extra paranoia compliance, built a 'read-only' cable, which
has only the RX-wires connected. I've done this, but it's months
ago and I can't remember the layout :-% 

Anyway, hope it helps. The USAGE file that comes with snort is a
great place to start btw., so is the entire info on the website. 


Cheers, Jan

-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther () radio hundert6 de

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users