[Snort-users] Snort Sensor Placement Outside Firewall

Michael Steele michaels at ...9077...
Wed Jun 25 22:39:14 EDT 2003



What volume of traffic do you have to manage everyday and how much time do
you actually spend managing that traffic. I’m assuming that you do have the
IDS on the outside of the firewall? This was the crux of Rich’s question. If
your IDS is on the outside of your firewall can you tell me what the reason






-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of David Alonso
De La Vega Tapage
Sent: Wednesday, June 25, 2003 9:17 AM
To: rlichvar at ...9486...
Cc: Snort Users List (E-mail)
Subject: Re: [Snort-users] Snort Sensor Placement Outside Firewall


Hi Rich .. 

David from Panamá .. 

Ok ..  I have this setup on my net ..  check it .. 

1. Mi Linux Box is RH 7.3 ( soon RH 9)  with 20 GB hard disk.  
2. 512 on swaping
3. 512 MB RAM 
4. 1.8 ghz processor 
5. Snort 2.0 + mysql +acid 
6. 2 nics  ( one for manage ) 3 Com for snort.
7. strike cables cat 5 to conect your box in a hub ( or switch with mirror
port ) 

My snort funciton perfect .. !   I hope that is teh right information for
you .. ! 

Cheers .. 

Rich Lichvar wrote:

I know this is a bit off-topic, but I need some advice/help and would like
to tap the experience of those who probably have successfully done what we
are thinking of doing.


We are thinking of putting a Snort-based sensor outside our firewall in the
Untrusted zone. (This is after the border/edge/gateway router which is
controlled by our hosting facility and not us.) I was wondering if any of
you had any advice about:


1. OS: Linux? Hardened how? What system capacity (RAM, hard drive) might be

2. Cabling setup: Internet Cat 5 cable to hub and cable from hub to sensor
and cable from hub to Untrusted port of firewall? (I've tried this in the
past and had problems with traffic even getting to the firewall. Maybe a
crossover cable is needed?)


Many thanks in advance for any advice/experience you would offer.


Richard L. Lichvar

Director, Operations

Knowledge Resource Center, Inc.

Phone: 703-848-2100 x228

Fax: 703-848-4747

Mobile: 571-221-3430




****** Message from InterScan E-Mail VirusWall NT ******
** No virus found in attached file noname.htm
Este correo ha sido revisado y esta libre de virus. Disclaimer
*****************     End of message     ***************


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030625/24909898/attachment.html>

More information about the Snort-users mailing list