[Snort-users] Re: Where do I need to put my Snort sensor outside of the firewall in order for FlexResponse to work?

Marty.Bostick at ...3528... Marty.Bostick at ...3528...
Thu Sep 20 06:14:04 EDT 2001


I have multiple Snort sensors in place within my network, however when
situations such as the "Nimda" worm arise, I would like to be able to reset
those connections and drop them before they even reach my firewall.

Currently, I have created a new stripped down install of Snort with only
the rules that I want to enforce FlexResponse on (Approx. 5 of them).  I
have placed this sensor outside of my firewall (in parallel) and it is
mirroring the port of the outside Firewall interface.

So far, it seems to catch every rule that I want it too, however it never
once has dropped an offending connection from an intruder.

Does this device have to be placed inline before it reaches the firewall
and does it have to use 2 NICS?

I am lost and really need help here.

Thanks.

Marty Bostick
Database Administrator
(205) 423-5079





More information about the Snort-users mailing list