On Tue, 12 Nov 2002 20:01:21 +1100 (EST) Rowel Atienza <[EMAIL PROTECTED]> wrote:
> > > On Tue, 12 Nov 2002, Ronald Warner wrote: > > > so snort can be used as a host ids but snort can also be used as a > > network ids. right? > > > > Not 100% yes. Snort operates somehow similar to tcpdump in the > promiscuous mode. If your ip layer can listen to packets destined to > other ethernet cards, then you can let snort analyze those packets and > report anomalous connections. Based on my experience you can capture > packets destined to a network (eg your subnet) but not all. However, > even if you cant see them all, you can see some pattern of anomalous > behavior in the logs. For example, syn scan of your network is easy to > detect as a certain ip address is distributing syn packets to multiple > hosts. > > rowel > 100% yes, these depends on your network setup, if you put a bridge between your Internet provider and your local area network or othernetwork to your localnetwork, snort in your bridge firewall your entire network. regards, -- Jimmy Lim Operation & Support Team Leader Tricom _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
