[Snort-users] Machine placement

snortlst snortlst snortlst at ...125...
Fri Sep 14 09:22:01 EDT 2001


Let's say I want to capture three types of traffic:
1. Between router and firewall : bad external traffic coming on your network
2. On my DMZ : bad traffic your firewall let come in
3. On my local network : Policy enforcement, backdoor infected local
systems, etc.
Should I use three different snort machines for that purpose?


----- Original Message -----
From: "François Désarménien" <f.desarmenien at ...3437...>
To: "snortlst snortlst" <snortlst at ...125...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, September 14, 2001 10:33 AM
Subject: Re: [Snort-users] Machine placement


> Fri, 14 Sep 2001 08:33:28 -0500
> "snortlst snortlst" <snortlst at ...125...> wrote:
>
> > I have quite a standard setup:
> > Firewall and external router connected to one hub.
> > DMZ servers connected to another hub
> > LAN is connected to the other hubs.
> > Hub are interconnected.
>
> By gateways ? It isn't clear.
>
> >
> > What is the better place to plug the snort machine in my network?
>
> It really depends what you expect to catch :
>
> - Between router and firewall : bad external traffic coming on your
network
>
> - On your DMZ : bad traffic your firewall let come in
>
> - On your local network : Policy enforcement, backdoor infected local
systems, etc.
>
> > It is a 100Mb network, should I really run snort in -b (bynary) mode in
that envoronment?
>
> Again, it depends on the network load, the CPU speed, the disk speed, the
OS, the weather, etc.
>
> '-b' beeing the fastest, you simply lower the risk of missing packets.
>
> Hope this helps
>
> F.
>




More information about the Snort-users mailing list