Snort in front of WAF or behind?

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

I'm putting in a WAF in the next two weeks, and I'm deciding on where to put it, in front of my network tap with Snort, 
or behind the network tap with Snort.  I'm thinking it's better to put it in front of the network tap with Snort, and 
let the WAF do the inspection, filtering and alerting of HTTP(S) traffic.  A couple of benefits of doing it this way 
that I see:

1. WAF will know more about how the HTTP applications are configured and what is good and what is bad input.
2. It will decrease the load (marginally) on the Snort box, since it won't have to inspect the traffic that is already 
going to be filtered at the WAF.

Anybody have input on this scenario?  It seems just like the "Snort in front of the firewall or behind the firewall" 
debate... but I might be missing something.

--
Shawn


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users