Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS and Firewall

From: James Riden <j.riden () massey ac nz>
Date: Thu, 29 Apr 2004 11:19:14 +1200
"Shaffer, Paul D" <paul.d.shaffer () lmco com> writes:


Everyone responding to this thread seems to be preaching to the choir
with an amazing grasp of the obvious.  But nobody bothered to ask the
Kernel anything constituting a requirements definition - What is he
trying to do?  What is his environment?  What equipment does he have
available?


OP: 
=>Is it recommended to run on it snort (on the same box)
=>or should I run it on another computer

No, it's not recommmend, and yes the OP should run it on another
computer. Obviously, if s/he can't it's not the end of the world, but
s/he asked the question as if that was a possibility.


Have you considered the possibility that dyed-in-the-wool dogma purveyed
as gospel, may not be what he is looking for?  Maybe he wants some
advice or examples of how a multi-purpose security device might be
cobbled together and properly locked down with Linux? 


If you don't like the answer you shouldn't have asked the question :)

Seriously, I wouldn't run snort on a home firewall even. If you've got
a box you're protecting with the firewall, it's far better to put
snort on that. Have the fw as your prevention, and snort as your
detection.

Apart from security issues, a fw is a single point of failure for most
of us, so is best left to do just firewalling. Running snort will
typically need a lot more oomph than just running iptables, so it's
possible his firewall box isn't up to spec in that regard.

Plus, I don't care about the vast number of attacks and scans which
will be visible on the firewall but will be stopped by it. I only care
about packets which get inside the network.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: