Re: inside or outside

[Frank Knobbe <fknobbe () knobbeits com>]

Seth,

it depends how you want to use Snort. If you want to use it as an
Intrusion Detection Systems, it should be placed inside the firewall to
alert you for for anything weird that slipped through your firewall
(such as... uhm... an intrusion :)

If you want to use Snort as an Attack Detection System, and/or you are
curious what kinda crap is floating around out there, you would place it
in front of the firewall.

Or run it on both. Inside for alerts, and outside for curiosity.

I myself run both. I use it outside in conjunction with SnortSam to
blind/annoy scanners, and on the inside as an IDS. I just browse through
the alerts from the outside box to see how the Internet weather is
(Nimda has been increasing lately). The alerts from the inside box I
check with a much higher priority since those would tell me if someone
is making a larger effort than just knocking on my firewall door, or if
the system has been compromised.

Regards,
Frank


On Fri, 2002-07-19 at 05:47, Seth L. Thomas wrote:
> Sorry if this was covered before but..
>
> Where should snort go, inside or outside of a firewall? Lets say you have a
> standalone box so when you run snort against the interface to the net like
> snort -dv -i eth0 then you're actually running snort on the outside of the
> firewall because it binds to the raw socket so it gets the traffic before
> your kernel (ipchains/iptables) has time to react to it. 
>
> But if the traffic your sniffing is being blocked by ipchains/iptables then
> snort wont give you much info because the blocked traffic wont be able to
> establish a connection so at most you'll capture a SYN. 
>
> But if you run snort against traffic that you allow through the firewall
> then i mean, it's too late cause you're already letting it in. I always
> wanted to know a little bit more info about the traffic I'm blocking (more
> info than what ipchains/iptables gives you) but how can one do that without
> allowing it in?
>
>  
>
>
> -- 
> Join the Navy; sail to far-off exotic lands, meet 
> exciting interesting people, and kill them.
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Attachment: signature.asc
Description: This is a digitally signed message part