Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort Sensor Placement Outside Firewall

From: "Michael Steele" <michaels () winsnort com>
Date: Thu, 26 Jun 2003 10:26:22 -0700
If your curious in what is hitting the outside and also monitoring the
inside, then do some sort of correlation of the two to see exactly what the
firewall is doing, could be a possible use.

I don't see the point in making it a day to day operation of some monitoring
policy. I know I'd hate the task of wading through all that data.

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Tom Sevy
Sent: Thursday, June 26, 2003 7:52 AM
To: Snort-users () lists sourceforge net
Subject: Fw: [Snort-users] Snort Sensor Placement Outside Firewall

Put it on the outside for testing -- you should get more data than on the
inside.  Then decide after the testing about where to position it as Erek
said.

On Wed, 25 Jun 2003, Michael Steele wrote:


You forgot to mention the time that may be involved in sorting through the
massive amount of data with a sensor on the outside.


More like "didn't mention" vs. "forgot".  Usually unless someone is just
feeling masochistic, the information overload from outside the firewall is
usually changed/toned down ASAP.


What could be some of the possibilities that make that scenario a possible
solution, when the IDS could or should in most cases be placed on the near
side of the firewall?


http://www.theadamsfamily.net/~erek/snort/ids_placement.txt

That one has been beaten to death so many times it's not even funny.  You
can place it before or after the FW, but I think that's a choice that has
to be made after testing.  I don't think there is a hard and fast answer
to 'where?'.  You're going to almost always have to test/retest to check
out how it works and how you want to handle it.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson





-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: