[Snort-users] Snort Sensor Placement Outside Firewall

David Alonso De La Vega Tapage delavegad at ...7768...
Thu Jun 26 09:20:08 EDT 2003


Hi Michael ..

Yes my snort box stay outside  of my Firewall ..  

The reazon .. ?  I'm very interest in know all thing to do on the 
outside of my net, my firewall specify, in my firewall  use DNat  and 
have to menay thing blocked ..  or is more easy say ..  only some thing 
opened ..

When I put my snort box outside in the first days I have so many alert 
and inesesary messages,  and my snort box and me have a long period of 
purge off all rules, now  only have some special rules that function for 
me ..

Cheers ..


Michael Steele wrote:

> David,
>
>  
>
> What volume of traffic do you have to manage everyday and how much 
> time do you actually spend managing that traffic. I'm assuming that 
> you do have the IDS on the outside of the firewall? This was the crux 
> of Rich's question. If your IDS is on the outside of your firewall can 
> you tell me what the reason is?
>
>  
>
> Cheers...
>
>  
>
> Michael
>
>  
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of David 
> Alonso De La Vega Tapage
> Sent: Wednesday, June 25, 2003 9:17 AM
> To: rlichvar at ...9486...
> Cc: Snort Users List (E-mail)
> Subject: Re: [Snort-users] Snort Sensor Placement Outside Firewall
>
>  
>
> Hi Rich ..
>
> David from Panamá ..
>
> Ok ..  I have this setup on my net ..  check it ..
>
> 1. Mi Linux Box is RH 7.3 ( soon RH 9)  with 20 GB hard disk.  
> 2. 512 on swaping
> 3. 512 MB RAM
> 4. 1.8 ghz processor
> 5. Snort 2.0 + mysql +acid
> 6. 2 nics  ( one for manage ) 3 Com for snort.
> 7. strike cables cat 5 to conect your box in a hub ( or switch with 
> mirror port )
>
> My snort funciton perfect .. !   I hope that is teh right information 
> for you .. !
>
> Cheers ..
>
>
> Rich Lichvar wrote:
>
> I know this is a bit off-topic, but I need some advice/help and would 
> like to tap the experience of those who probably have successfully 
> done what we are thinking of doing.
>
>  
>
> We are thinking of putting a Snort-based sensor outside our firewall 
> in the Untrusted zone. (This is after the border/edge/gateway router 
> which is controlled by our hosting facility and not us.) I was 
> wondering if any of you had any advice about:
>
>  
>
> 1. OS: Linux? Hardened how? What system capacity (RAM, hard 
> drive) might be required?
>
> 2. Cabling setup: Internet Cat 5 cable to hub and cable from hub to 
> sensor and cable from hub to Untrusted port of firewall? (I've tried 
> this in the past and had problems with traffic even getting to the 
> firewall. Maybe a crossover cable is needed?)
>
>  
>
> Many thanks in advance for any advice/experience you would offer.
>
>  
>
> Richard L. Lichvar
>
> Director, Operations
>
> Knowledge Resource Center, Inc.
>
> Phone: 703-848-2100 x228
>
> Fax: 703-848-4747
>
> Mobile: 571-221-3430
>
>  
>
> 
>
>
>
>------------------------------------------------------------------------
>
>
> 
>
>****** Message from InterScan E-Mail VirusWall NT ******
>
> 
>
>** No virus found in attached file noname.htm
>
> 
>
>Este correo ha sido revisado y esta libre de virus. Disclaimer
>
>*****************     End of message     ***************
>
> 
>
>  
>
>  
>
>------------------------------------------------------------------------
>
>****** Message from InterScan E-Mail VirusWall NT ******
>
>** No virus found in attached file noname.htm
>** No virus found in attached file noname.htm
>
>Este correo ha sido revisado y esta libre de virus. Disclaimer
>*****************     End of message     ***************
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030626/d54d3f52/attachment.html>


More information about the Snort-users mailing list