[Snort-users] Where to install Snort

Burleson, Lee (IA) Lee.Burleson at ...1358...
Fri Mar 16 10:51:07 EST 2001

Greets to all.

This subject tips me off to a question that I've been wanting to ask for a
I will be bringing up a firewall soon at one of my network borders, and will
likely put my existing Snort box behind it.  I have had thoughts about
putting up a separate box outside the firewall as well.  I can see being
able to compare logs and so forth to provide more meaningful information by
way of differential analysis.  I suppose the external IDS logs will be of
less use if the firewall provides useful-enough reporting (Gauntlet) though.

Any thoughts on this?

The 'no copy of Stick to the Snort community' issue sure steams me...

- Lee

> -----Original Message-----
> From: Fyodor [mailto:fygrave at ...121...]
> Sent: Wednesday, March 14, 2001 6:15 PM
> To: Chris Kirby
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Where to install Snort
> On Tue, Mar 13, 2001 at 09:01:27PM -0500, Chris Kirby wrote:
> > Looks like Snort is a great package and I'd like to install 
> it on our production system but have a question about where 
> to place it.
> > 
> > Our Internet connection connects to the public interface on 
> our high availability SunScreen EFS firewalls, the DMZ 
> interface on the firewalls then connect to high availability 
> F5 BigIP load balancers, which then connect to the subnet 
> that contains our webserver farm. 
> > 
> > Since I wouldn't want to implement a single point of 
> failure, putting in a single Snort box is not really the way 
> to go. Can it be safely installed on the firewalls (which are 
> also processing packets) or should they be installed on the 
> webservers directly? What is the performance hit, if any, like?
> > 
> > Any info I can get would be great.
> > 
> I'd actually install snort on the link behind the firewall 
> and just infront of your webserver. (or one of the 
> webservers, if they share the same network media), installing 
> on extrenal interface of firewall would probably give you too 
> much skript-kiddie noise.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

More information about the Snort-users mailing list