[Snort-users] Attack on snort running in Public Zone

MH procana at ...4296...
Fri Nov 14 19:07:02 EST 2003

Hi KS,

If you assign a routable address to your snort sensor, it will
be directly exposed to all the things any other system on the Internet
are exposed to (including (D)DOS attacks).  
All of the *external* sensors that I have deployed 
run OpenBSD with very restrictive pf rulesets.  I would
never recommend that anyone put an ms system outside
of a firewall especially with a *live* ip address.
Then again, I wouldn't recommend anyone put an ms system
inside of a firewall either ;)

Is it necessary that you assign an ip address to your external
sensor?  You might want to consider not binding any address.

Hope this helps,

On Mon, Nov 10, 2003 at 08:48:11PM +0530, KS wrote:
> Helllo Everybody.
> I have snort running on win2k and it is working fine so far.I had placed it in DMZ to monitor the malicious traffic passing through firewall and Now i want to put another snort win2k system in Public zone i.e in between my router and firewall so i can know which traffic is actually hitting the outside interface of my firewall. 
> My concern is :  Since my snort system ( win2k ) is gonna be on public IP address , what will happen if somebody runs a Denial of service attack on my snort system itself.  
> How can i be sure that my snort system running on win2k is safe from DOS attack ?
> Thanks
> KS

More information about the Snort-users mailing list