Snort mailing list archives
Re: Snort Deployment Configurations
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 03 Feb 2011 20:48:42 -0500
On 2/3/2011 19:31, Michael Lubinski wrote:
I find myself thinking more and more in the realm of NSM and Snort. I have been running different theoretical deployment situations in my head on how / where I would deploy a snort sensor. I thought "Why don't I just ask the people that work with it everyday." I would imagine running Snort on the outside of your network would net a different set of rules being active as would a Snort sensor running internally.
this is very true... in my world, snort is run against all traffic entering and leaving the perimeter of the network being monitored... yes, that means that it is, in our case, being run on the perimeter device(s)... internal traffic is not monitored unless an internal mechanism is specifically set up but it is possible that the perimeter device is also monitoring internal traffic... for this it also means that certain vars in the snort config are altered so they fit the internal network parameters... however, in my neck of the woods, internal monitoring is best done with sniffers on the internal network(s)...
Does anyone run Snort in multiple locations with varied purposes like this example?
not yet but the principle is the same with the note of the HOME_NET and EXTERNAL_NET var changes needed ;)
Before I started to really dig into snort I always thought of it as a inline gateway monitor / filter between you and the world, but the more I learn that it can be much more universal depending on the rules included.
absolutely! in my world, snort's alert file is the main feed to an "active response" tool which initiates a firewall DROP rule immediately based on the alert file and the tools configured watch parameters... yes, this can, and does, result in some false positives but things are also being looked over by a human and as such, until the rules and active response tool are tuned to the networks' needs, FPs will happen... in the cases that they do happen, i'm firmly on the side of shoot first, ask questions later :P
What other considerations might someone new to snort such as myself overlook at first thought?
this is hard to answer without further knowledge of your networking and security related background... i say that with the knowledge that i'm self taught with 30+ years in the industry and many many many hours of OJT plus the development of numerous methods of monitoring and protection as well as having been in the position of teaching classes related to networking... ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Deployment Configurations Michael Lubinski (Feb 03)
- Re: Snort Deployment Configurations waldo kitty (Feb 03)
- Re: Snort Deployment Configurations Martin Holste (Feb 03)
- Re: Snort Deployment Configurations Jason Haar (Feb 06)
- Re: Snort Deployment Configurations Crusty Saint (Feb 07)
- Re: Snort Deployment Configurations Ray Caparros (Feb 07)
- Re: Snort Deployment Configurations Martin Holste (Feb 07)
- Re: Snort Deployment Configurations Jason Haar (Feb 06)
- Re: Snort Deployment Configurations Bamm Visscher (Feb 07)
- Re: Snort Deployment Configurations Martin Holste (Feb 07)
- Re: Snort Deployment Configurations Joel Esler (Feb 07)