[Snort-users] Where to install Snort
Burleson, Lee (IA)
Lee.Burleson at ...1358...
Fri Mar 16 10:51:07 EST 2001
Greets to all.
This subject tips me off to a question that I've been wanting to ask for a
I will be bringing up a firewall soon at one of my network borders, and will
likely put my existing Snort box behind it. I have had thoughts about
putting up a separate box outside the firewall as well. I can see being
able to compare logs and so forth to provide more meaningful information by
way of differential analysis. I suppose the external IDS logs will be of
less use if the firewall provides useful-enough reporting (Gauntlet) though.
Any thoughts on this?
The 'no copy of Stick to the Snort community' issue sure steams me...
> -----Original Message-----
> From: Fyodor [mailto:fygrave at ...121...]
> Sent: Wednesday, March 14, 2001 6:15 PM
> To: Chris Kirby
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Where to install Snort
> On Tue, Mar 13, 2001 at 09:01:27PM -0500, Chris Kirby wrote:
> > Looks like Snort is a great package and I'd like to install
> it on our production system but have a question about where
> to place it.
> > Our Internet connection connects to the public interface on
> our high availability SunScreen EFS firewalls, the DMZ
> interface on the firewalls then connect to high availability
> F5 BigIP load balancers, which then connect to the subnet
> that contains our webserver farm.
> > Since I wouldn't want to implement a single point of
> failure, putting in a single Snort box is not really the way
> to go. Can it be safely installed on the firewalls (which are
> also processing packets) or should they be installed on the
> webservers directly? What is the performance hit, if any, like?
> > Any info I can get would be great.
> I'd actually install snort on the link behind the firewall
> and just infront of your webserver. (or one of the
> webservers, if they share the same network media), installing
> on extrenal interface of firewall would probably give you too
> much skript-kiddie noise.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
More information about the Snort-users