Snort mailing list archives

Re: Placing Snort

From: Jose Maria Lopez <jkerouac () bgsec com>
Date: 01 Sep 2004 21:03:31 +0200

El mié, 01 de 09 de 2004 a las 11:30, Chandana Bandara escribió:

hi
 
I implemented snort in this way .
 
 
Internet ---------------> Router -----------------------> Firewall
---------------------> Snort--------------------> switch
-----------------> LAN
 
am i correct ?
 
thanx


It all depends in what attacks you want to see. If you use the
configuration you have proposed then you see all attacks that are
knocking at your door, but you could have an insane number of
alarms and false positives. If you place snort after the firewall
you won't see the attacks that the firewall it's blocking but you
will see the attacks that are really affecting your network and
the number of false positives decreases a lot.

The perfect solution for me is having both. One snort in the external
network to see all the traffic that it's knocking your site and another
snort behind the firewall to see the really interesting attacks. You
should treat each of this snorts in a different way, the inner one is
the one you should check all the time to see the attacks your firewall
is letting in, and the outer one should be checked from time to time
to see who's attacking you and you can compare both results to see how
well is acting your firewall.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Placing Snort Chandana Bandara (Sep 01)
- Re: Placing Snort Matt Kettler (Sep 01)
- Re: Placing Snort Bill Parker (Sep 01)
- Re: Placing Snort Jose Maria Lopez (Sep 01)