Snort mailing list archives

Re: 2 sensors

From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 1 Nov 2001 12:13:06 -0800 (PST)

On Thu, 1 Nov 2001, snortlst snortlst wrote:

My first sensor runs outside firewall and it displays a lot of alerts.
The second sensor is placed inside my network and monitors firewall aln nic.
It displays very few alerts (in fact only alerts from our external dns
servers are displayed as a port scans)
Is that normal? I mean is that normal that I almost don't see alerts inside
my lan?


[Also see next message...]

Yes, IMHO, that's normal as normal gets.  Consider what a firewall does:
Allow or Deny or Drop packets based on rules you define.  If you don't let the
packets through the firewall, then your interior sensor won't see them.

DNS servers and portscans is listed in the FAQ.

http://www.snort.org/docs/faq.html#6.18

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

2 sensors snortlst snortlst (Nov 01)
- Re: 2 sensors Erek Adams (Nov 01)
- Re: 2 sensors Ralf Hildebrandt (Nov 01)
  - Re: 2 sensors snortlst snortlst (Nov 01)