On Tue, 12 Nov 2002, Ronald Warner wrote:
> so snort can be used as a host ids but snort can also be used as a network
> ids. right?
>
Not 100% yes. Snort operates somehow similar to tcpdump in the
promiscuous mode. If your ip layer can listen to packets destined to other
ethernet cards, then you can let snort analyze those packets and report
anomalous connections. Based on my experience you can capture packets
destined to a network (eg your subnet) but not all. However, even if you
cant see them all, you can see some pattern of anomalous behavior in the
logs. For example, syn scan of your network is easy to detect as a certain
ip address is distributing syn packets to multiple hosts.
rowel
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
