Re: Capture Email Content / Website Activity

[<barryab63-ia () yahoo com>]

The only drawback to this configuration is it introduces another point of failure to your network.  If for some reason 
the snort box fails, the network is down.  The upside is that you can use the Snort inline functions and actually have 
snort stop some attacks.  It really depends on what's more important to your client.  You could put an Ethernet tap in 
place of your snort box, the tap is still a point of failure.  But, in most cases the tap will continue to pass data on 
the network, you just loose the monitoring ability. 
   
  I believe there are some papers on the Snort web site that talk about this.
   
  Barry
   
   
  

stuff () trackingsolutions ca wrote:
  Does this configuration have any drawbacks for security, reliability or speed.

Internet --> modem --> router --> snortbox --> switch --> local network

Thanks

On November 27, 2005 04:42 pm, G Ramon Gomez wrote:
> stuff () trackingsolutions ca wrote:
> > The first scenario:
> > Internet --> Modem --> snortbox --> router --> local network
> > will not allow me to specify what machine is sending information. It would
> > just give me the ip of the router. Right?
>
> If you're NATing, yes.
>
> > The second scenario:
> > Internet --> modem --> router --> snortbox --> switch --> local network
> > this scenario will allow me to monitor the activity from within the local
> > network.
>
> Yes.
>
> > In the second scenario is it nessicary to run iptables or is iptables used
> > to route the traffic?
>
> iptables would be used to provide the bridging, so it's needed.
>
> > Also I do see the value of squid to monitor the traffic to the web.
>
> Ok. To "monitor the traffic to the web", you need some form of activity
> logging. Furthermore, you need some form of data analysis to make sense
> of the logs, unless you intend to manually review all of the log lines.
> Within the context of data analysis of web logs, there are more tools
> available to squid then there are to snort, because snort isn't meant to
> do this type of work. Squid, on the other hand, is.
> Unfortunately, I can't explain any better than this why you'd want to
> use squid to monitor web activity. Using a proxy to audit user web
> activity versus using an IDS for the same seems intuitive to me (unless
> you're doing policy-based auditing, in which case you're not monitoring
> *all* activity, just the activity that might violate policy).
>
> - Ramon
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users