Re: SNORT on Trend Micro Interscan virus wall box

[Gordon Ewasiuk <gewasiuk () gnmc net>]

On Tomorrow, Jonathon.Kalaugher () sbg-ap com wrote:
> Hello List,
>
> I am considering placing a copy of SNORT on a Trend Micro box Interscan
> virus wall box on Win2k/NT4.0.
>
> This server sits in a DMZ and intercepts all incoming SMTP, HTTP, FTP
> traffic destined for our Web and intranet servers.
>
> It does not process outgoing HTTP, DNS etc
>
> Does this sound like a good idea?

Hi Jonathon,

Sounds like a good start.  I'd suggest showing all traffic to the Snort
box though.  Snort appears to detect a wide range of attacks, probes, and
scans.

My install, which took place about two weeks ago, has all inbound and
outbound traffic mirrored to a separate network directly off my Foundry
switches (1st point of entry into the datacenter I work at).  So, my Snort
box sees everything and detects everything.  Not sure if it's the optimal
method (I think some might deploy the Snort box BETWEEN their external
networks and internal networks, ala another firewall:

Internet <-----> Snort <------> Internal networks

Mine looks like this:

Internet <-----> 2 Foundry Switches <-----> Firewalls <-----> internal
                         |
                         |
                     snort box

Your mileage may vary.  Good luck!

-Gordon

--------------------------------------------------
Gordon Ewasiuk, Certifed Sun Fanatic,  Winstar VHC
The REAL office number is here----->  703.893.4901
Tired of BSODs, My Computer, and Code Red?
http://www.sun.com/solaris/binaries/
-------------------------------------------------

 10:20pm  up 3 day(s), 12:13,  1 user,  load average: 0.01, 0.03, 0.16


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users