[Snort-users] 2 sensors

Erek Adams erek at ...577...
Thu Nov 1 12:21:26 EST 2001


On Thu, 1 Nov 2001, snortlst snortlst wrote:

> My first sensor runs outside firewall and it displays a lot of alerts.
> The second sensor is placed inside my network and monitors firewall aln nic.
> It displays very few alerts (in fact only alerts from our external dns
> servers are displayed as a port scans)
> Is that normal? I mean is that normal that I almost don't see alerts inside
> my lan?

[Also see next message...]

Yes, IMHO, that's normal as normal gets.  Consider what a firewall does:
Allow or Deny or Drop packets based on rules you define.  If you don't let the
packets through the firewall, then your interior sensor won't see them.

DNS servers and portscans is listed in the FAQ.

http://www.snort.org/docs/faq.html#6.18

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list