Fw: [Snort-users] Snort Sensor Placement Outside Firewall

Tom Sevy tsevy at ...1701...
Thu Jun 26 07:53:21 EDT 2003

Put it on the outside for testing -- you should get more data than on the
inside.  Then decide after the testing about where to position it as Erek

On Wed, 25 Jun 2003, Michael Steele wrote:

> You forgot to mention the time that may be involved in sorting through the
> massive amount of data with a sensor on the outside.

More like "didn't mention" vs. "forgot".  Usually unless someone is just
feeling masochistic, the information overload from outside the firewall is
usually changed/toned down ASAP.

> What could be some of the possibilities that make that scenario a possible
> solution, when the IDS could or should in most cases be placed on the near
> side of the firewall?


That one has been beaten to death so many times it's not even funny.  You
can place it before or after the FW, but I think that's a choice that has
to be made after testing.  I don't think there is a hard and fast answer
to 'where?'.  You're going to almost always have to test/retest to check
out how it works and how you want to handle it.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list