Re: Machine placement

["snortlst snortlst" <snortlst () hotmail com>]

Let's say I want to capture three types of traffic:
1. Between router and firewall : bad external traffic coming on your network
2. On my DMZ : bad traffic your firewall let come in
3. On my local network : Policy enforcement, backdoor infected local
systems, etc.
Should I use three different snort machines for that purpose?


----- Original Message -----
From: "François Désarménien" <f.desarmenien () atrid fr>
To: "snortlst snortlst" <snortlst () hotmail com>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, September 14, 2001 10:33 AM
Subject: Re: [Snort-users] Machine placement


> Fri, 14 Sep 2001 08:33:28 -0500
> "snortlst snortlst" <snortlst () hotmail com> wrote:
>
> > I have quite a standard setup:
> > Firewall and external router connected to one hub.
> > DMZ servers connected to another hub
> > LAN is connected to the other hubs.
> > Hub are interconnected.
>
> By gateways ? It isn't clear.
>
> > What is the better place to plug the snort machine in my network?
>
> It really depends what you expect to catch :
>
> - Between router and firewall : bad external traffic coming on your
network
> - On your DMZ : bad traffic your firewall let come in
>
> - On your local network : Policy enforcement, backdoor infected local
systems, etc.
> > It is a 100Mb network, should I really run snort in -b (bynary) mode in
that envoronment?
> Again, it depends on the network load, the CPU speed, the disk speed, the
OS, the weather, etc.
> '-b' beeing the fastest, you simply lower the risk of missing packets.
>
> Hope this helps
>
> F.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users