stuff@trackingsolutions.ca wrote:
The first scenario:
Internet --> Modem --> snortbox --> router --> local network
will not allow me to specify what machine is sending information. It would
just give me the ip of the router. Right?
If you're NATing, yes.
The second scenario:
Internet --> modem --> router --> snortbox --> switch --> local network
this scenario will allow me to monitor the activity from within the local
network.
Yes.
In the second scenario is it nessicary to run iptables or is iptables used to
route the traffic?
iptables would be used to provide the bridging, so it's needed.
Also I do see the value of squid to monitor the traffic to the web.
Ok. To "monitor the traffic to the web", you need some form of activity
logging. Furthermore, you need some form of data analysis to make sense
of the logs, unless you intend to manually review all of the log lines.
Within the context of data analysis of web logs, there are more tools
available to squid then there are to snort, because snort isn't meant to
do this type of work. Squid, on the other hand, is.
Unfortunately, I can't explain any better than this why you'd want to
use squid to monitor web activity. Using a proxy to audit user web
activity versus using an IDS for the same seems intuitive to me (unless
you're doing policy-based auditing, in which case you're not monitoring
*all* activity, just the activity that might violate policy).
- Ramon
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
