Snort mailing list archives
Re: Placing Snort
From: Jose Maria Lopez <jkerouac () bgsec com>
Date: 01 Sep 2004 21:03:31 +0200
El mié, 01 de 09 de 2004 a las 11:30, Chandana Bandara escribió:
hi I implemented snort in this way . Internet ---------------> Router -----------------------> Firewall ---------------------> Snort--------------------> switch -----------------> LAN am i correct ? thanx
It all depends in what attacks you want to see. If you use the configuration you have proposed then you see all attacks that are knocking at your door, but you could have an insane number of alarms and false positives. If you place snort after the firewall you won't see the attacks that the firewall it's blocking but you will see the attacks that are really affecting your network and the number of false positives decreases a lot. The perfect solution for me is having both. One snort in the external network to see all the traffic that it's knocking your site and another snort behind the firewall to see the really interesting attacks. You should treat each of this snorts in a different way, the inner one is the one you should check all the time to see the attacks your firewall is letting in, and the outer one should be checked from time to time to see who's attacking you and you can compare both results to see how well is acting your firewall. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac () bgsec com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idP47&alloc_id808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Placing Snort Chandana Bandara (Sep 01)
- Re: Placing Snort Matt Kettler (Sep 01)
- Re: Placing Snort Bill Parker (Sep 01)
- Re: Placing Snort Jose Maria Lopez (Sep 01)