Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] snort deployment

from [Will Metcalf] Network Security [Permanent Link]
Subject: Re: [Snort-users] snort deployment
Date: Tue, 30 Aug 2005 14:38:43 -0500 
Hmmmm I agree with David, if you are only going to be passively
monitoring traffic (alerting) there is no need to run in inline mode. 
You will probably introduce some unnecessary latency into your
network.  I would investigate using a span port or a tap.

Regards,

Will

On 8/30/05, David Klotz <bucky@speakeasy.org> wrote:

On Tue, 30 Aug 2005, MAEDA wrote:


You should run snort as inline-mode (see manual version 2.3.x).
In inline-mode, snort takes packet informations from target QUEUE of 
iptables.
So, you make bridge between two NICs, and assign QUEUE to FORWARD-chain 
target.



Wouldn't inline just add another layer of complexity when it's not needed?  I
would go with the switch and the span port, unless you have some specific need
for inline, such as connection killing or any of the IPS style functionality.
But I'm no expert...

--
-Dave
-bucky@speakeasy.org



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] how to further diagnose 'ICMP Destination Unreachable' problem?, Stephen Nesman
Next by Date:  Re: [Snort-users] snort deployment, fname lname
Previous by Thread:  Re: [Snort-users] snort deployment, David Klotz
Next by Thread:  Re: [Snort-users] snort deployment, fname lname
Indexes:  [Date] [Thread] [Top] [All Lists]