|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
September 10th, 2005, 12:27 PM
|
|||
|
|||
|
Can I use Snort on a client instead of a server?
Hello everybody.I read(if I am wrong,I am sorry)that Snort is only for servers.Is there any way I can use it on a client instead?if this chance is already there,plz be so kind to tell me.Thanks in advance
|
|
#2
September 17th, 2005, 12:34 AM
|
|||
|
|||
|
Basically snort is an application that tries to make a "profile",
or "behavior pattern", of network traffic, in order to signal a sudden, strong change in that behavior. Point here is that it has to be able to see the traffic. Servers are (because of their often central role in a network) a good candidate: they can see a great part of all the traffic on the network, simply because they are part of most conversations. Other good candidates are gateways, they will be able to see all traffic that is traveling from a network-segment towards another segment (mostly that other segment being the Internet). A normal workstation will only be able to see the traffic on the segment which it is part of. And if the network connections are made with a switch (as opposed to a hub) it will only see the traffic that is broadcasted on the segment (that is: explicitly sent to all connected hosts) and traffic in which itself is one of the communicating hosts. But it won't see any packet of what a neighbor workstation is communicating with a server (or a gateway) in that very same segment. That's why i emphasized the phrase: able to see the traffic. I think an ideal situation is that you use switches for all your network segments (because switches do have great advantages over hubs), but see to it that those switches all have a monitoring port to which they deliver a copy of each packet that travels through them. Then you connect one or more PCs to those monitoring ports and run snort on them. They will be able to see all the traffic, and analyze it for you. A little less ideal (but easier to configure and less expensive) is that you install snort on all servers and possibly routers and gateways in your network, and have them sent their data to one of them (or a separate worksation) for analyzing purposes. Now for a small network, with
That will explain why you read that snort is for servers i guess. But the location in the network is what counts, the ability to see network traffic. And whether you analyze that on a server or a workstation is of less importance. Regards, Jaap.
|
|
#3
September 20th, 2005, 02:07 PM
|
|||
|
|||
|
Thanks for your answer.
|
|
| Viewing: Dev Shed Forums > System Administration > Security and Cryptography > Can I use Snort on a client instead of a server? |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
