IDS?

[Ben Ricker]

On Tue, 2003-12-02 at 12:15, Longman, Bill wrote:
> >Additionally, you 
> > would need 
> > to put the NIC of the box in promiscuous mode, which may not sit well 
> > with the network person.
> 
> You don't *need* to run snort in promiscuous mode. If you are willing to
> scan for broadcast and unicast-to-your-machine packets, there's no need for
> promiscuous. Use the -p option to take it out of promiscuous mode. Snort is
> incredibly CPU intensive so you wouldn't want to run it on your box at any
> rate. 

I had forgot about that option. I guess it goes back to only having
worked on network-wide Snort setup! Good point!

I would also add that Snort is VERY disk space intensive (though only
capturing the packets inbound and outbound from one machine will be less
so). And depending on load can grow very quickly. If you do not put the
data files in one partition, you may end up with a full filesystem.

HTH,

Ben Ricker