I am experimenting with Zeek, but this may stand the same as well for Suricata or Snort.
I don't get how you connect an IDS to the network. As I understand it analyses traffic, something like parsing tcpdump
on a continuous basis and applying RegEx plus custom conditions on it.
Do I need to pass the traffic through the IDS device (it's a simple debian-based device). Or can the device work only by sniffing broadcasted traffic by simply plugging it into a switch port?
If it needs to pass through the IDS device, should I setup a DHCP server?
No comments:
Post a Comment