[svlug] running snort behind a firewall

Wayne Earl wayne at qconcepts.net
Tue Mar 20 15:03:02 PST 2001


I've got a client that wants an IDS placed behind their firewall, which
protects their webserver farm. Everything behind the firewall is running
on switches (100baseT), and I am loathe to mirror traffic on the switches
so that a box running snort can sniff the packets.

I thought that I could run a hub immediately following the firewall, with
only the snort box on it and a crossover to the main switch. Basically:

______      _______
| fw |______| hub |----> to IDS
|    |      |     |----> to switch (and rest of server farm)
------      -------

That way, all traffic is broadcast to each port in the hub, allowing the
IDS machine to capture it's data. And I don't have to reconfigure the
switches to mirror data to the port that the IDS is connected to.

Will this work the way I suspect it to work?

-- 
Wayne Earl
wayne at qconcepts.net






More information about the svlug mailing list