[Snort-users] Where to install Snort

Gregor Binder gbinder at ...462...
Fri Mar 16 13:40:50 EST 2001

Burleson, Lee (IA) on Fri, Mar 16, 2001 at 09:51:07AM -0600:


> I will be bringing up a firewall soon at one of my network borders, and will
> likely put my existing Snort box behind it.  I have had thoughts about
> putting up a separate box outside the firewall as well.  I can see being
> able to compare logs and so forth to provide more meaningful information by
> way of differential analysis.  I suppose the external IDS logs will be of
> less use if the firewall provides useful-enough reporting (Gauntlet) though.
> Any thoughts on this?

Yep, good idea :) .. allows you to have a record of both very likely
successfull attacks and probably unsuccessfull attacks (which you might
want to keep as well, since they might have penetrated your firewall due
to something unexpected (a bug, packetfilters/proxies not being up ..)).

Correlation of those logs will be especially easy if you don't do any
NAT/masquerading. You will still have to deal with varying timestamps
and things like that.

In addition to that, depending on what this network is actually doing,
you can eliminate more false positives as opposed to just running a
sensor on the inside. Say if this a server farm for example (penetration
originating from the inside less likely), there could be some things
like DNS queries triggering alerts, and since you would expect to see
successful penetrations from the outside on both sensors, there you go.
(This example assumes internal DNS servers).

Note that the inside sensor will much more likely drop packets, unless
you have a really fat pipe coming into your net (or you are running a
10baseT net on the inside :)).


Gregor Binder       <gregor.binder at ...462...>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55

More information about the Snort-users mailing list