[Snort-users] Snort and Firewalls

Gregor Binder gbinder at ...462...
Mon Oct 16 06:38:30 EDT 2000

David Harris on Sun, Oct 15, 2000 at 03:28:13PM -0400:


> I have never heard of anyone running snort on their firewall itself...
> Is there a reason for this besides fear of performance hits on the firewall?

I think it is preferrable to run your IDS on a system that is not
providing any function to other systems. It is much less likely that
it will be found and attacked, so you always have a second opinion in
case something happens.

> This is what I do on my network... I have my gateway setup using iptables
> for
> my firewall and I have snort(with the Acid frontend) listening on my inside
> interface... This way I can
> have one sensor that sees all the traffic that gets though the firewall
> (which is what I am worried about mostly anyway) Is there something
> bad/wrong about doing this I should know?

Obviously you will never detect attacks that were directed against
your firewall and maybe even successful. You do get a low number of
false-positives (in the sense of unsuccessful attacks), but I would
rather sniff on both sides and select the rules I want to know about
by filtering the logs. Or compare the logs of both interfaces.

If I had to sniff on the firewall, I would definitely write my logs
somewhere else.


Gregor Binder  <gbinder at ...462...>  http://www.sysfive.com/~gbinder/
sysfive.com GmbH             UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany       TEL +49-40-63647482

More information about the Snort-users mailing list