Snort implementation

[Stingreen]

Hello guys,
We have sonicwall PRO 330 firewall, and I'd like to implement snort into a linux box and attach it to firewall to sniff incoming and outgoing attacks. Now the question is, I could implement the snortbox between the internet and sonicwall plugging it into a hub. However, I'm rather concerned that there will be a lot of collisions in the hub, slowing down the network thruput. Is there any other way that I could try you could think of ? I could keep the snort box in the DMZ but it wouldn't catch all the packets since DMZ port is connected to 100 Mbit switch not a hub. ( and eventually snort box will only catch the packets which is directed to it, not the packets broadcasted over the DMZ network )
Any ideas are appreciated on this,
Thank you.

 

[LarryTheCucumber]

I have Snort setup as follows

eth0 -- Internal address for ACID connection

eth1 -- no address - set in promiscuous

If you have only the Sonic Wall, Internet Router and
SNORT there should not be a problem with collisions.

Since eth1 is without an address and in promiscuous mode
it will only pick-up all of the packets from the hub


See the SNORT-ACID setup docs.

 

[SgtB]

http://www.snort.org/docs/

Pick your installation guide! The one with redhat, mysql, and snort is a great pdf!

I'd put the external interface of the firewall into a hub, and place the exteranl interface of the snort box into the same hub. Then uplink to the upstream router. Then snort will sniff away. Don't worry about collisions, or a throughput hit. The hub is going to be 100mbps right? So how fast is your internet connection? 1.5mbps? The hub won't be your bottleneck.

Ideally you'd use a hub, but you can use a switch too. You'd have to set up port mirroring/monitoring on the switch.

Cool upcoming game! Check it out!

http://www.planetside-universe.com

!