[Snort-users] Attack on snort running in Public Zone

MH procana at ...4296...
Fri Nov 14 19:07:02 EST 2003


Hi KS,

If you assign a routable address to your snort sensor, it will
be directly exposed to all the things any other system on the Internet
are exposed to (including (D)DOS attacks).  
All of the *external* sensors that I have deployed 
run OpenBSD with very restrictive pf rulesets.  I would
never recommend that anyone put an ms system outside
of a firewall especially with a *live* ip address.
Then again, I wouldn't recommend anyone put an ms system
inside of a firewall either ;)

Is it necessary that you assign an ip address to your external
sensor?  You might want to consider not binding any address.

Hope this helps,
Mike

On Mon, Nov 10, 2003 at 08:48:11PM +0530, KS wrote:
> Helllo Everybody.
>  
> I have snort running on win2k and it is working fine so far.I had placed it in DMZ to monitor the malicious traffic passing through firewall and Now i want to put another snort win2k system in Public zone i.e in between my router and firewall so i can know which traffic is actually hitting the outside interface of my firewall. 
> My concern is :  Since my snort system ( win2k ) is gonna be on public IP address , what will happen if somebody runs a Denial of service attack on my snort system itself.  
> How can i be sure that my snort system running on win2k is safe from DOS attack ?
>  
> Thanks
> KS




More information about the Snort-users mailing list