Fw: [Snort-users] Snort Sensor Placement Outside Firewall
tsevy at ...1701...
Thu Jun 26 07:53:21 EDT 2003
Put it on the outside for testing -- you should get more data than on the
inside. Then decide after the testing about where to position it as Erek
On Wed, 25 Jun 2003, Michael Steele wrote:
> You forgot to mention the time that may be involved in sorting through the
> massive amount of data with a sensor on the outside.
More like "didn't mention" vs. "forgot". Usually unless someone is just
feeling masochistic, the information overload from outside the firewall is
usually changed/toned down ASAP.
> What could be some of the possibilities that make that scenario a possible
> solution, when the IDS could or should in most cases be placed on the near
> side of the firewall?
That one has been beaten to death so many times it's not even funny. You
can place it before or after the FW, but I think that's a choice that has
to be made after testing. I don't think there is a hard and fast answer
to 'where?'. You're going to almost always have to test/retest to check
out how it works and how you want to handle it.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users