[Snort-users] Snort Sensor Placement Outside Firewall

Michael Steele michaels at ...9077...
Thu Jun 26 10:43:09 EDT 2003

If your curious in what is hitting the outside and also monitoring the
inside, then do some sort of correlation of the two to see exactly what the
firewall is doing, could be a possible use.

I don't see the point in making it a day to day operation of some monitoring
policy. I know I'd hate the task of wading through all that data.


-Michael Steele
 System Engineer / Security Support Technician     
 mailto:michaels at ...9077...    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Tom Sevy
Sent: Thursday, June 26, 2003 7:52 AM
To: Snort-users at lists.sourceforge.net
Subject: Fw: [Snort-users] Snort Sensor Placement Outside Firewall

Put it on the outside for testing -- you should get more data than on the
inside.  Then decide after the testing about where to position it as Erek

On Wed, 25 Jun 2003, Michael Steele wrote:

> You forgot to mention the time that may be involved in sorting through the
> massive amount of data with a sensor on the outside.

More like "didn't mention" vs. "forgot".  Usually unless someone is just
feeling masochistic, the information overload from outside the firewall is
usually changed/toned down ASAP.

> What could be some of the possibilities that make that scenario a possible
> solution, when the IDS could or should in most cases be placed on the near
> side of the firewall?


That one has been beaten to death so many times it's not even funny.  You
can place it before or after the FW, but I think that's a choice that has
to be made after testing.  I don't think there is a hard and fast answer
to 'where?'.  You're going to almost always have to test/retest to check
out how it works and how you want to handle it.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list