Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: IDS

From: Dragos Ruiu <dr () kyx net>
Date: Fri, 7 Dec 2001 09:32:38 +0000

There is no real _rule_ for wether you should put your _first_ ids sensor on the 
inside or on the outside.  For me it boils down to: if I only have time to check
the logs frequently for one box on that network, do I want to spend the time
looking at what I know _is_ a problem / inside (attacks that got in through
the firewall or outbound from ownede box) or to look at potentially more data
on the outside (including the perpetual portscanning and doorknob rattling 
general noise level on the internet) giving more threat visibility albeit 
potentially more spurious noise.

If you are running snort _on_ the firewall you don't need virtual machines. Just
run a snort process on each interface (Assuming you do not have large traffic 
volumes or anemic firewall cpus).  But the eyeball quotient for log review is 
likely a greater factor in choosing which interface logs to look at in terms
of providing any effective increase in security. After all if an alert goes off
in the woods and no-one is there to hear it did it really matter.... :-)

cheers,
--dr

On Fri, 7 Dec 2001 16:24:10 +0100
Tom Fischer <tfischer () abh de> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am Freitag, 7. Dezember 2001 16:11 schrieben Sie:

outside.

so now that i know its outside (contrary to what i thought before..)
how would one set up an IDS to be inside?

of course you could always _phsyically_ put the ids second in line
of traffic.. but would that be the only way?


not sure at all, but i think it's the only way. maybe a virtual machine on 
the firewall could do the job.

Tom
- -- 
Tom Fischer                   ABH Marketingservice GmbH
System Administrator          Weisshaustraße 23a
Tel: 0221-94400446            50939 Köln      
http://www.abh.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjwQ3xwACgkQwafQrcfco8E4tgCfSPtHUIpUHXFVXi0qKt70yaaO
aCUAnAm1r6kwFim1yPgyu8sBYtDQbYFK
=J0A/
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: