Re: Multi-sensor setup

[Jack Pepper <pepperjack () afferentsecurity com>]

Quoting Scott Elgram <SElgram () VerifPoint com>:

> I would like to see the traffic that is attempting to get through as well
> just so I know what sort of attacks or whatever is being attempted against
> my firewall.  As far as I know everything is hunky dory and anything
> malicious isn't getting through but it's a bit like standing at the edge of
> a dark hole.  Sure, I'm fine where I am now but I have no iea what's in the
> hole.

Couldn't you just look at the firewall logs and see how much stuff is  
being dropped?

There is no way to know what an outside agressor would have done if  
the firewall had let them in.  So if the firewall stops the three way  
handshake, then the exploit never runs, and your outside sensor would  
detect nothing.  I would submit that aside from portscans and other  
such trivia, the inside and outside should be the same.

Unless you set up a honeypot.  Maybe that is what you really want.  so  
instead of dropping unwelcome traffic, the perimeter firewall sends it  
to the honey pot.  Then you can see what the agressor would have done  
had you let them in.

jp

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users