Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: fragroute vs. snort: the tempest in a teacup

From: "Steven M. Bellovin" <smb () research att com>
Date: Fri, 19 Apr 2002 16:01:21 -0400
In message <200204182210.IAA10429 () caligula anu edu au>, Darren Reed writes:

IMHO it makes little sense
for an IDS to be *behind* a firewall as it's going to miss out on lots
of useful data points. 


The question to answer is what the purpose is of your IDS.  If you're a 
researcher on intrusion techniques, you should indeed have your IDS on 
the outside.  If you're a good citizen and have lots of free time, by 
all means have one, so you can tell all the rooted sites that are 
probing you that they're owned.  But if you want to find out if you're 
under attack, don't bother -- you are under attack, more or less 
continuously.  

An IDS on the inside will have many fewer false alarms, and will tell 
you what you really want to know -- that someone has gotten through 
your (other) defenses.

                --Steve Bellovin, http://www.research.att.com/~smb
                Full text of "Firewalls" book now at http://www.wilyhacker.com



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: