Snort mailing list archives
Re: Multi-sensor setup
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 22 Jul 2009 20:43:17 -0400
Set your home net and external net to "any", put your IDS inside your firewall watching all the traffic going in and out of the internal interface of the firewall with a tap. -- Sent from my iPhone On Jul 22, 2009, at 6:06 PM, "Scott Elgram" <SElgram () VerifPoint com> wrote:
I do have the firewall logging dropped stuff already but like I mentioned in an earlier post to Milo this isn't exactly an ideal situation because I would also like to log the outbound traffic from users as well. I hadn't thought of a hunney pot though, could you recommend any sites with info on who, what, when, where, why and how for such a project? -Scott -----Original Message----- From: Jack Pepper [mailto:pepperjack () afferentsecurity com] Sent: Wednesday, July 22, 2009 2:39 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Multi-sensor setup Quoting Scott Elgram <SElgram () VerifPoint com>:I would like to see the traffic that is attempting to get through as well just so I know what sort of attacks or whatever is being attempted against my firewall. As far as I know everything is hunky dory and anything malicious isn't getting through but it's a bit like standing at the edgeofa dark hole. Sure, I'm fine where I am now but I have no iea what's inthehole.Couldn't you just look at the firewall logs and see how much stuff is being dropped? There is no way to know what an outside agressor would have done if the firewall had let them in. So if the firewall stops the three way handshake, then the exploit never runs, and your outside sensor would detect nothing. I would submit that aside from portscans and other such trivia, the inside and outside should be the same. Unless you set up a honeypot. Maybe that is what you really want. so instead of dropping unwelcome traffic, the perimeter firewall sends it to the honey pot. Then you can see what the agressor would have done had you let them in. jp ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com --- --- ---------------------------------------------------------------------- -- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --- --- --- --------------------------------------------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Richard Bejtlich (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Joel Esler (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Chris Jacob (Jul 22)
- Re: Multi-sensor setup Jack Pepper (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Joel Esler (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Milo Velimirovic (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Joel Esler (Jul 22)
- Re: Multi-sensor setup William Young (Jul 24)
- Re: Multi-sensor setup Richard Bejtlich (Jul 22)